How will this work with open-source browsers like Firefox? After all, what's to stop somebody from publishing an extension or even a modified version of the browser itself? DRM seems fundamentally unenforceable, after all.
Are the people pushing for this hoping it's just too much hassle?
These questions aren't rhetorical: I'm interested in what exactly the DRM people are pushing and how they expect it to work. Just not interested enough to read about it myself :D. (Also, I think this makes for a great conversation topic.)
DRM people are not interested in how it'll work, in fact DRM often contributes to user of whatever it is implemented in suffering. They just want permission to insert their cluster fuck to keep getting rich.
They want to propose an API which would allow proprietary closed source binary blobs to display videos. In other words: They are pushing "yet another Flash" into HTML5.
At least Flash was used widely enough that the vulnerabilities were found. EME means there are several competing vendors of proprietary DRM plugins that talk directly to video card drivers, all with unknowable security characteristics.
I'm curious how with the whole open source community how this will be at all enforceable... there's nothing stopping me releasing a browser that says "To hell with DRM, I'm just not going to enforce any of it"... and because it's open source and out there in the wild, there's not a whole hell of a lot anyone can do to shut it down...
See my comment upthread about encrypted media and how licensing is used to control the availability of decryption keys. In existing DRM people are not required to implement it, but they can't achieve interoperability without the decryption keys.
The idea is that the browser is going to ask some lower-level DRM system to decode everything, only displaying it to the user. In theory this is supposed to go all the way down to the TPM, so that you cannot subvert it with a debugger or rootkit. In practice, there will probably be bugs that lead to video streams being captured anyway, and the whole thing will only serve to further divide people and make free software harder to use.
Take for example a DRM protected video. That video is being send to the framebuffer of my video card. If I use an open source OS and open source Browser, what on earth is stopping me from capturing that video output?
Nothing, which is why this whole proposal even exists.
With this standardized, we will continue to be legally and/or practically blocked from native consumption of protected content on general purpose GNU/Linux distributions.
Open source OSes will probably not have CDMs available, except when prepackaged into a proprietary widget (Android, ChromeOS, B2G is Mozilla decides to play ball)
If an open source system can run the CDM and is packaged in a proprietary widget; then I am allowed to take that open source system out of the widget, modify it to behave exactly as if it is still in the widget (so that it can still run the CDM) and redistribute the system to everyone.
It's very hazy. If the userland (running atop of the Linux kernel) is closed source then there's few things you can do. Also, you can't just rip out binaries and redistribute them at will, EULAs usually forbid it.
As I specifically mentioned, "If an open source system can run the CDM.." - the CDMs run inside a browser, and for an open source browser such as Firefox or Chromium I definitely can modify it and redistribute the modifications; and if Firefox and Chromium can't run the CDMs, well, then they won't get used much since that's the majority of users.
CDMs will most likely communicate with closed-source hardware that implements the decryption (e.g. Blu-ray's AACS requires video card support for AES and HDCP).
You might even not be able to use it elsewhere. For example, the current ChromeOS CDM apparently only runs on approved hardware that's locked down from the hardware up to prevent you running any unauthorized code - if you enable developer mode it disables playback, possibly even at the hardware level.
This is incorrect. The DRM may be shipped with the browser or whatnot, but it's fundamentally a plugin architecture. The Widevine plugin, for example, is the CDM plugin used by both Google Play and Netflix to provide DRM-protected video on Android and ChromeOS.
The DRM isn't actually implemented by the browser its more of a plugin architecture (Encrypted Media Extensions) which commercial closed source DRM plugin can fill.
If it's just going to end-up plug-ins, I don't understand why DRM is being treated specifically at all instead of tweaks to the existing general-purpose plug-in architecture. If you want DRM, deal with Microsoft Silverlight or Adobe Flash or roll your own.
But this still effectively limits the rendering of content to blessed implementations. Why introduce a standard that isn't open when there are already other options.
The existing plugins are heavy and don't integrate well with other web technologies. In addition, the NPAPI interface is not standardized (I believe). Thus, the point is to narrow down the scope of plugins from everything that Flash and Silverlight do to just a piece of code focused on DRM. Everything else that people use Flash and Silverlight can be replaced by standards and directly implemented in the browser. However, DRM, by its nature depends on closed-source compiled binaries, which means that it has to remain in a plug-in.
I imagine the client-side stuff won't really matter. I think in the end there will be a DRM API that will not trust the client. "Does this user have a valid key or username/pass to access this content" won't be answered on the client-side, but on the server-side.
Probably with a client-side file (or binary?) that gets delivered to the browser from the server and accessed locally in a sandboxed environment. This handles keys, auth, etc natively with the browser. This might be seamless to the end user.
Probably easily crackable like, say SteamWorks, but good enough to keep low-hanging fruit safe and copyright holders happy as we begin to retire flash entirely. Joe User won't be able to 'right-click and saveas' but he'll be able to view HTML5 video.
I think TBL is stuck between a rock and a hard place, just like Gabe Newell was with Steam. Users hate DRM, but he can't sell games without it. Some crowd-happy DRM scheme that's unobtrusive might be the only winning move here.
In most DRM systems the information is distributed encrypted. The decryption keys are given to technology developers who have specifically promised to obey the DRM rules, as well as to make their technology hard for users to understand or modify so that the users can't easily undo the restrictions or extract the decryption keys.
Hence a browser developer or OS developer or developer of whatever software is in question wouldn't be permitted (by the DRM system's inventor or administrator) to get decryption keys if they didn't promise to implement these restrictions.
Some of the people who invented the modern DRM business ecology called this "the intersection of technology, law, and commercial licensing" (the title of a 1996 article by Dean Marks and Bruce Turnbull). Here, the "technology" is DRM implementations -- including software obfuscation and other measures; the "law" is anticircumvention laws like the DMCA §1201 that make it risky for people to use the decryption keys in ways that industry dislikes; and "commercial licensing" is the permission from a DRM developer to interoperate with that DRM, including "compliance" rules (about the functionality of the technology product) and "robustness" rules (about tamper-resistance), that result in the licensee being issued decryption keys.
In my view (I worked on EFF's objection) this is a deliberate attack on software interoperability: the whole point is to allow someone to try to prevent interoperability with software that hasn't been "approved". And it's also in extreme tension with the idea of having browsers that end-users can modify (their individual instances of).
I see no way how an open source system can implement any effective DRM standard while staying open source.
If a proper open source system has a component that enforces DRM, and is functional when I download it, then it includes those keys; but gives me an unconditional right to use and modify it. And I am physically able to modify it, un-implementing those restrictions.
If part of the system cannot be modified by me, then the whole is not open source, and any open source system such as Firefox shouldn't include that part or standard.
> If part of the system cannot be modified by me, then the whole is not open source
"Open Source" definition does not include any clauses that require hardware manufacturers to provide you encryption and/or signing keys, so you could run your code. GPLv3 and "Free Software" are what you're looking for.
The Free Software Definition doesn't require free software to be copylefted or to include measures against TiVoization or against proprietary or restrictive downstream products. GPLv3 does this and the BSD license doesn't, and both are free software licenses.
As I said in another comment, people who usually say "free software" are more likely to think that preventing restrictive downstream products is an important goal than people who usually say "open source". But that doesn't mean it's part of the definition of what it means to be free software.
EDIT: I also think the comment the parent replied to was right to say "then the whole is not open source". BusyBox is both free and open source even though its license allows it to be included in the locked-down TiVo -- but the TiVo as a whole is not open source.
I agree. In previous discussions about this, some people emphasized the idea of open source development, as opposed to giving an open source software to an end user. For example, you could run a binary through an obfuscator after compiling in a decryption key -- from source code that had been published and distributed under an open source license. If the license isn't a reciprocal/copyleft license, this is probably not a license violation, but it seems wrong to say that the user who receives the binary is being given open source software.
This issue reflects the way that people have had very different ideas about what the point or purpose of free and open source software is (in some ways, reflecting the split between people who preferred to say "free software" over "open source" and vice versa).
It's also a very concrete issue today in whether people call, say, the Chrome browser "open source". Most of their source code is downloadable, derived from the fully open-source Chromium project, but in Google's current practice, users never get the complete source code to the Chrome binaries that they run. If you're focused on the development process, it might almost make sense to call Chrome "open source" because almost all of its source code is distributed, licensed, and developed in an open source manner -- but if you're focused on what users can do with the software, it's obviously just a proprietary application (with a proprietary EULA, to boot).
> For example, you could run a binary through an obfuscator after compiling in a decryption key -- from source code that had been published and distributed under an open source license.
Of course, if you do that you may as well just not release the source code at all, because there's no way for the user to tell that the binary does actually correspond to the source without also being able to extract the encryption key and break the DRM.
I think that verifiability is an important security benefit from publishing source code and I hope to talk more about that soon.
Some people think that publishing source code is first and foremost a way to get other people to collaborate on its development, not to ensure any particular rights or knowledge or safety for people who end up using the software. For example, you could imagine a consortium of people who each make a super-proprietary locked-down thing and they publish and collaborate on the code of some libraries that their respective locked-down things need. They actively do want other locked-down thing makers to comment on how to make the code better and contribute patches, but they actively don't want customers to use that knowledge to make the thing less locked-down (or to be able to verify what it does or doesn't do).
This is a situation that we often encounter in the real world, and in fact some of the locked-down thing makers are even surprised when people say the contrast in their behavior with respect to these audiences is strange or hypocritical, because they didn't know or didn't remember that other people think software freedom is partly or mainly meant to benefit users.
I've certainly noticed some people do that, but in essence isn't that just a way to get other people to do their development work for them for free, without giving those developers any of the benefits that come from true open source software in exchange?
But if the content keys work with actual open source software, then that software can always be modified to decode the content and remove any restrictions that the publisher might wish to apply.
That's why they have to obfuscate things at the code level too.
In past years in my career I worked in game development. I can say without hesitation that anything client side can be reverse engineered and hacked. Any limitation built into a browser can be circumvented, and it will happen in a matter of days from release.
The thing is most Firefox users don't even know what an extension is. If my parents' Firefox ships with support for DRMs, they won't care about it. Once it becomes widespread, there's simply no way to start "un-supporting it".
The EFF has strong words about where this is taking the open web [1]:
"A Web where you cannot cut and paste text; where your browser can't "Save As..." an image; where the "allowed" uses of saved files are monitored beyond the browser; where JavaScript is sealed away in opaque tombs; and maybe even where we can no longer effectively "View Source" on some sites, is a very different Web from the one we have today. It's a Web where user agents—browsers—must navigate a nest of enforced duties every time they visit a page. It's a place where the next Tim Berners-Lee or Mozilla, if they were building a new browser from scratch, couldn't just look up the details of all the "Web" technologies. They'd have to negotiate and sign compliance agreements with a raft of DRM providers just to be fully standards-compliant and interoperable."
They suggest the W3C may be digging itself into another hole like the one that led to the formation of WHATWG. A good read.
What is the WHATWG's position on this? They represent the browser makers. If they support DRM then it's game over. Another break-away standards group won't be able to do anything to sway the browser makers. What could they do?
Consider that three of the largest browser makers -- Microsoft, Apple, and Google -- all have arms that deal heavily with media companies.
I dislike DRM as much as the next person, but if it's implemented reasonably (think Steam or Netflix), then many consumers are willing to deal with it. EME was what enabled Netflix on ARM-based Chromebooks, for example; and I prefer EME to not being able to legally access media at all.
I prefer EME to not being able to legally access media at all.
In other words, you are willing to give up freedom to get--what, exactly? Movies? Music? Eye candy?
I confess I simply can't understand this point of view. People are willing to hand over the Internet to DRM and the media corporations because they can't live without the "entertainment" that Hollywood provides? People are willing to have their computers pwned just so they can watch Netflix? That appalls me.
Dude, having your computer pwned is the smallest thing people will give up for entertainment. Romans were happy to hand their Republic to an Emperor, as long as he kept the circensem coming.
I'm writing this comment from a Samsung Chromebook. When I use Chrome OS; I'm already giving up my freedom. Chromium itself is open-source, but there are tons of binary blobs on this device: the accelerated graphics driver for the Mali GPU, the ARM build of Adobe Flash, and the EME implementation that makes Netflix work on my device.
EME is not new. There are already devices shipping with implementations, like mine. If EME is standardized, what it means for me is that there's a chance that my device will work with all DRMed content I want to access, and not on a per-service basis.
We're not talking about giving "big bad media companies" full control of the Ring 0 Hypervisor; I am still perfectly capable of flipping the virtual developer switch on my device and booting a pure version of Linux at any time. If I buy a device ships like that, I hope that future me will have the good sense to return it to the store.
You're giving up a lot more than that. Last I heard, the existing Chrome OS implementation of HTML5 EME refuses to run unless the device is a Chromebook that's locked down to ensure no unauthorized or modified code is running anywhere on the device: enable developer mode and the CDM disables itself.
If you don't plan on using your laptop for anything outside of entertainment, being able to rewrite the software on the micro that controls the battery charging circuit is not particularly relevant or useful.
The WHATWG doesn't really "exist" in quite the same way that the W3C does. There isn't Process for obtaining an opinion that you can then ascribe to an organisation rather than one or more individuals. It only represents the browser makers insofar as the specs hosted at whatwg.org accurately reflect what browsers implement. Sometimes this is achived by adjusting the browsers to match the specs; oftentimes the opposite occurs.
It is certainly the case that several individuals editing specs under the WHATWG banner have set out their opposition to DRM. It seems unlikely that Hixie will include it the HTML spec he edits unless, of course, we end up with something implemented in browsers that is both interoperable and open. Since "open" rather defeats the point of DRM, it's difficult to imagine that happening, however.
Chrome and IE are the ones pushing this - so yes, the opinion of browser makers matter, but sadly the 2 biggest ones, Google and Microsoft, do not just support EME but are the ones driving it.
Seemingly, the WHATWG is against this. But there's a big difference between individuals on a mailing list and broader corporate interests.
It's a tragic comedy that everyone's yelling at the W3C for losing their way yet again... the WHATWG, weren't they great. Yet the WHATWG is basically a proxy for Google, Apple and Microsoft. And they have driven the W3C agenda for a long while.
When you repeatedly shit on the hippies, academics, and non-browser makers that had more sway in the past at the W3C, and replace them by corporate browser makers, you weaken the antibodies that were in place. The WHATWG's presence has marginalizing other voices within the W3C and forced it to listen to its primary members - i.e. corporate, pay-to-play ones.
> It's a place where the next Tim Berners-Lee or Mozilla, if they were building a new browser from scratch, couldn't just look up the details of all the "Web" technologies. They'd have to negotiate and sign compliance agreements with a raft of DRM providers just to be fully standards-compliant and interoperable.
I may be totally naive here, but I'm not really sure why this matters. That there is a WC3 standard does not imply that browsers have to adhere to it. If they didn't they simply wouldn't be able to access DRM protected content. From a UX perspective this seems no different from Netflix putting their content behind a login. Maybe I am being an idiot, if so please correct me, but this doesn't really seem like anything to worry about. The threats implied by EFF, that massive corporations will control content on the internet, seems only true for content published by those massive corporations (and thus are already happening now, with 3rd party DRM ie: Netflix's Silverlight player). It doesn't stop people from publishing non DRM protected content.
I would agree this doesn't belong in the spec on technical level, but it seems to be inclusive not exclusive.
The W3C is the guardian of the world wide web, a system for disseminating information publicly and globally to all those who may benefit from it. By standardizing DRM for video, they are giving legitimacy to a technical kludge that is designed specifically to prevent the dissemination of information. There are legitimate reasons why someone may wish to save a video to their hard drive, just like they can save an image today. There is no reason the web should be built upon mechanisms designed specifically to privilege corporate interests over the interests of those falling under fair use exemptions to copyright laws.
If I had my way we wouldn't have copyright at all. It seems idiotic to me for the same reasons patents are.
But we do, and so just as you say there are "legitimate reasons" why someone may wish to save a video, there are too "legitimate reasons" someone may want to share their work in a protected manner. It's a product. If you don't like it don't buy it.
There is no part of this that forces the user to view only DRM protected websites. As far as I can tell this only increases the rights of copyright holders, which, again, I think is stupid, but seems completely legal and a reasonable thing to do under our existing legal framework. Edit: it also does not seem like it will fundamentally change the user experience of the web since the things that it allows are mostly already doable, just not with an HTML standard.
If some copyright holder wants his stuff DRMed then they are free to implement their own DRM plugin or App. But I don't see why we should support them. Especially when it makes our nice open web depend on proprietary closed source binary blobs.
The idea was that HTML5 gets rid of Flash and similar plugins and not that HTML5 turns into a vehicle for "yet another Flash".
Next thing we are adding a spy module feature because advertisers and the NSA demand it? Well at least the spy module could be free software unlike the proprietary closed source binary blobs needed for Digital Restrictions Management.
I wouldn't recommend it: the name and logo are trademarked, and even if you replaced those, if anyone noticed the rest of the copying, you'd be the laughingstock of the internet. Who'd want to buy your product then?
I think you're proposing dire consequences where there aren't likely to be any.
Google copying Yahoo's front page code? Okay, that'll be in the news and everyone will have a good laugh.
Some Joe Schmoe Web Developer lifting CSS/HTML from an unknown client to sell to an unknown client? Eh, not so much. This probably happens often and goes undetected.
It's not my company, and the things I'm saying don't represent the opinions of my employer.
To your question, is it "ok," I couldn't provide the answer as I don't own the copyright.
My statement was that I wish we lived in a world without copyright. The rules would be very different, and thus we would act and compete differently. As is, brand is an important asset for a company. I think you know all this.
I also think your argument is a bit sophomoric and I find it obnoxious that you are calling out my employer's name.
If you're against "intellectual property" then you shouldn't use that propaganda term. Refer to the specific legal protections at issue, like copyright, patents, or trademarks, because they are all have very different functions and purposes.
That's an interesting piece, thanks for sharing. I think from the perspective of "what existing pieces of culture can I use to create something new" IP is actually a useful bucket. From the perspective of people who have already created or are consuming that piece of culture, I agree that combining trademark with copyright and patents is not useful.
Copyrights, patents and trademarks all share a single unifying assumption: ideas are things that can be owned. Since I disagree with that assumption, it makes sense to speak about "disagreeing with intellectual property" if IP is just a synonym for "a legal framework that uses violence to support laws that allow ideas to be owned."
It seems counter intuitive and even foolish to suggest that you could increase innovation and creativity by getting rid of copyrights and patents. But there is a great great example of an industry that actually thrives in both sales and innovation, despite not having any copyrights or patents - the fashion industry.
DRM doesn't "increase the rights" of copyright holders, it just intentionally goes out of its way to stifle everyone else. The fact that it's called "Digital Rights Management" is a bit of doublespeak, which is why the FSF encourages using the more accurate description of "Digital Restrictions Management."
Although it seems the word "copyright" is also a bit of doublespeak these days. In general it doesn't go out of its way to give authors the right to control how publishers distribute copies any more, it's been co-opted as a system for publishers to deny every individual the the ability to make their own copies for any reason. If you ask me they should call it a copy-block instead of a copy-right.
What I don't understand is that if these companies want so desperately to enforce DRM, why are they using the web? A native application is better suited to what they want to do, and they are going to end up writing DRM modules in native code anyway. So why are they targeting the web at all, and why do they insist on getting something that is fundamentally closed (DRM) put into something that was meant to be open (HTML)?
IMO, this is a very dumb approach. This would not be OK anywhere else. Feel free to enforce your copyright, but don't expect me to bear your burden without kicking and screaming.
Content providers want to be on the web, because that's where the audience is. If they're made to feel unwelcome on the web, they certainly will take their content away. This makes the web less useful and harms users.
The web has had copies of that content well before the "content providers" even had a website, and it'll have copies of the content well after they decide to leave.
All they can take away is the sources that actually bring them money.
The "web" has existed in a mature form for over 2 decades.
The web's success has been extraordinary in the same terms of any monumental human achievement -- the discovery of anti-biotics, the moon landing, the Magna Carta.
Why would we cripple that set of features just to make a tiny group of people happy (relative to the world's population, the copyright "special interest" cartel is indeed microscopic.)
And I thought web sites screwing up keyboard shortcuts was annoying..
1 - We'll lose the W3C. We'll have to either create another standards body, or go back to the 90's situation when nobody agreed on anything.
2 - There are a few places where actualy reading the data somebody sent to you is a crime. Despite the drawbacks on those kinds of law, some of those places are still very importantly economically, and we can't just ignore them, at least for now. If you create a code for "don't read this data" to be sent over the web, disobeying it will become a crime there.
1. I don't agree that this is true at all. The W3C is not created to destroy copyright, which seems to be the implication of your statement (ie: we will need a new standards body that does not provide a copyright-compliant standard). I don't agree with copyright law, but it is law. We currently have a web that provides the ability to companies to protect their data via implementation, this simply provides a spec to do it in a different way. It does not fundamentally change the user experience of the web.
2. Yes, like in the United States. Just like receiving stolen goods is a crime. No offense, but when you say things like "If you create a code for "don't read this data" to be sent over the web, disobeying it will become a crime there." I don't think you fully understand how DRM currently works and how it would work using this standard. It is simply a standard people can implement.
Edit: as some of you have pointed out, the phrase "copyright-compliant" is somewhat meaningless. I should've chosen my words more carefully. I meant "copyright-enforcement-enabling."
> The W3C is not created to destroy copyright, which seems to be the implication of your statement (ie: we will need a new standards body that does not provide a copyright-compliant standard).
No, what he means is that, if we stop listening to the W3C because of this, the W3C will no longer matter. So either we won't have a standards body, or we will need a new one.
Exactly. There are countless standards issued by the W3C that are completely ignored by Browser Vendors at large. Yet it's still the most relevant consortium on the matter.
Conversely, there are countless features introduced by Browser Vendors that do not exist in the W3C's specs. (And some of those are even eventually picked up by the W3c.)
I honestly don't think people understand how the Standards Body's work, and how their specs propagate into actual products that people use on a daily basis.
Many companies have cherry-picked what to implement and what not to. This is not new. If anything, it's the norm. Vendors will continue to do this as long as the W3C will exist, and can continue to do so in this case, without destroying the W3C or making it an invalid body.
It was your own suggestion that spawned this thread.
You wrote:
"I may be totally naive here, but I'm not really sure why this matters. That there is a WC3 standard does not imply that browsers have to adhere to it."
- https://news.ycombinator.com/item?id=6491428
marcosdumay is responding to that by saying "It matters because ..."
Sorry, fair point. My point that you quoted was that anyone could roll a browser that did not include the DRM standard (or any standard for that matter). And many do already. I don't think this implies that the W3C is dead.
anyone could roll a browser that did not include the DRM standard
And how many people will use it, apart from outliers like people who post here? The vast majority of people use one of the Big Three: Firefox, Internet Exploder [no, that's not a typo ;)], and Chrome.
Furthermore, if the Big Three implement a DRM standard, then web pages that want to "protect their content" will simply use the DRM standard, and it won't matter that Joe's Really Cool Browser doesn't implement it; that browser simply won't be able to view the pages. A few outliers like us will rant and rave; anyone else who tries it will say "Joe's Really Cool Browser Sucks" and go back to using one of the Big Three.
DRM can not work. Assuming that you don't come up with a plan, which prevents reading data, while allowing the reading of data. So if the W3C starts to write standards which defy the basis of logic, were are forced to abandon their standards, thus destroying the W3C.
There is no sense in which DRM is "copyright-compliant" and a lack of DRM is not "copyright-compliant", and there is no sense in which copyright requires anyone to help industry create or deploy DRM.
In reality though these control freak moves only "work" (for them) if everybody is forced to adopt. Another site another plugin type situation will shift a lot of people to non-drm content providers, whether on principle or maybe just plain old apathy. I'm sure browser makers could streamline this process so that it's a minimal hurdle to install a plugin but if it's optional then we have the option to avoid it and that is exactly what those goddamn morons would like to stop.
> 1 - We'll lose the W3C. We'll have to either create another standards body, or go back to the 90's situation when nobody agreed on anything.
We already lost the W3C once for about 10 years. Remember XHTML and XHTML2? Those, and a bunch of special purpose not particularly interesting niche XML standards (P3P? XML-FO?) were pretty much all they worked on for a decade or so. It wasn't until the WHATWG was formed by some browser vendors who wanted to start working on a standard for features that users would actually want, rather than what architecture astronauts thought would be a nice design, and the W3C realized that's what people were actually interested in and so replaced XHTML2 with HTML5 based on the WHATWG spec that they actually became relevant again.
Now, I will have to give credit that there were still a few groups at the W3C doing work relevant to the actual open web, such as SVG and CSS. But given how the WHATWG took over work on the HTML standard and actually did work towards a standard that was useful and relevant to browser vendors when the W3C went off the rails the last time means that I'm not too worried if it goes off the rails again this time, you can always form another standards body if it becomes irrelevant. You just need to be sure to recognize this early on, so you don't waste too much time and effort waiting for the W3C to get its act together again.
> W3C realized that's what people were actually interested in
So, with XHTML, the main thing is that people just wanted their web pages to work like they always had; they didn't want to deal with adding slashes to make their web pages XML and strict parsers and whatnot.
But with P3P, what people want is Netflix and Rdio on all their devices (such as ARM-based Samsung Chromebooks).
Frankly, I prefer the sound of standardized DRM to everyone rolling their own ala the 90s; with any luck it'll mean fewer formats/keys that need to be reverse engineered and whatnot.
First of all, I think you have gotten P3P confused with EME (or whatever the new term is). P3P, the "platform for privacy protection" was just one of my examples of previous useless stuff the W3C has worked on (it was basically a schema for describing a website's privacy policy, with dubious advantages over simply linking to a privacy policy in the footer).
Second, none of the proposals for EME that I've seen actually address the issue of being able to play the same content across devices. They aren't a standardized DRM scheme; they are merely hooks for proprietary DRM schemes, essentially a way to allow proprietary DRM schemes to hook into the HTML5 media player rather than having to use the plugin interface and implement the media player in Flash or Silverlight. It's basically just a plugin API for plugins that provide only DRM, leaving the rest up to the browser.
Don't think that this is meant to actually increase interoperability; a large portion of the "value" of DRM, for those who promote it, it the ability to have various lucrative exclusive contracts with particular cable networks, hardware vendors, and so on. You're just going to see more "Live NFL - a Samsung exclusive!", not actually be able to get Netflix on any device you want.
If it worked across any device, then it would need to work on open devices as well, but of course if the device is open you can bypass the DRM. So it's always going to be based on licenses, that only certain vendors can get if they promise to implement DRM securely and not give users full access to their own devices.
> They aren't a standardized DRM scheme; they are merely hooks for proprietary DRM schemes, essentially a way to allow proprietary DRM schemes to hook into the HTML5 media player rather than having to use the plugin interface and implement the media player in Flash or Silverlight. It's basically just a plugin API for plugins that provide only DRM, leaving the rest up to the browser.
Exactly: its a specification for a constrained plugin API focussed DRM, so that browsers don't have to either maintain a common general purpose plugin API (e.g., NPAPI) or, alternatively, have browser-specific APIs in order to meet content-owners demand for a DRM-supporting delivery channel.
"> It's a place where the next Tim Berners-Lee or Mozilla, if they were building a new browser from scratch, couldn't just look up the details of all the "Web" technologies. They'd have to negotiate and sign compliance agreements with a raft of DRM providers just to be fully standards-compliant and interoperable."
What the hell are they even talking about here? Since when has ANY browser been "Fully, 100% W3C Compliant"?? Answer: None. Ever. Seriously.
There are rafts of non-compliant features, both legacy and newly introduced, in every single one of the most popular modern web browsers. (Even Opera!!) Certainly, with the last decade of popular support pushing Browser Vendors towards W3C compliance, the web has been more standards-based than ever before.
But this is just a silly argument. I agree with the political aim of the EFF here. But let's not just invent things or misrepresent things. It makes them lose credibility in my eyes.
Sure, not everything is standards-compliant, nor fully interoperable. But part of the transformative effect of open Internet standards has been that anyone can implement them without permission from others (indeed, the IP policy of the W3C is pretty much engineered to make this the case).
If you want to implement a DRM binary blob with EME, you're going to have to negotiate a compliance contract of some kind with the DRM vendor, probably connected to some hook IP. (See http://en.wikipedia.org/wiki/Compliance_and_Robustness )
The problem isn't that browsers do or don't have to implement this "standard"; the problem is that the standard itself isn't enough to actually support the content it claims to support.
It's the equivalent of standardizing the object or embed tags: it's a standard way of getting at non-standard functionality, and sites then depend on specific implementations of that non-standard functionality, the same way they depend on the Flash plugin today in ways that knowing how to implement the object tag doesn't help with.
Standardizing a single fully-specified mechanism for DRM might actually be useful (debatably), but that would break the current model in which DRM is completely unsound and relies on security-through-obscurity. "Standardizing" a means of getting at the myriad non-standard DRM implementations and their non-standard APIs is worse than worthless: it's actively harmful, and it prolongs the death of those technologies.
Right now, content providers have to choose whether to support the open web or DRM. They should continue to have to make that choice, with supporters of the open web reaching a larger audience, until eventually all the holdouts either switch or lose. This is a major step backward for that goal, and the W3C has no business claiming EME has anything to do with the open web.
"From a UX perspective this seems no different from Netflix putting their content behind a login."
That depends on where you think UX ends. That login will work fine from within an open source browser and/or OS you compiled (and possibly wrote or tweaked) yourself.
I haven't read the article, but if that DRM works, it wouldn't run in your browser on your OS, as content providers would not trust them. Chances are that your Chrome, Firefox, or Safari extensions wouldn't even work with the DRM (at best, they would get disabled on protected (from you) pages.)
That would be the dystopian outcome if the sites and browsers together diverged from open standards and started forcing DRM on everyone.
What this standard actually specifies however, is only that the browser will respond to a certain tag by looking for some proprietary-ware to play whatever audio and/or video someone wants to restrict.
This is a disappointing move on the part of w3c, because it lends some air of legitimacy to DRM, and because it revives the otherwise dying plugin system under a new name. But it doesn't actually force DRM on anyone or restrict the ability to do anything on the web.
The best case would be that users are unwilling to install the black-box-ware in order to see videos or whatever, and the feature is little used and the copyright exploiters have to either unlock the content or go away with it. None of which would be bad.
This is a bit of an exaggeration, we have had content like this on the web for years with proprietary technologies like flash, silverlight ,activeX and highly obfuscated JS. Not to mention the amount of content locked into walled gardens and proprietary app stores etc.
The W3 proposals suggested do not in fact mandate browser vendors implement any DRM scheme to remain 100% standards compliant. This is myth that gets repeated on HN surprisingly often.
The issue is that some big name content providers don't want to sell you content unless they can also install things on your computer. This fact remains regardless of the technological implementation details.
The overwhelming majority of content on the web is DRM free. These proposals do not mandate nor give any incentive for that content to be protected if it is not already.
>The issue is that some big name content providers don't want to sell you content unless they can also install things on your computer. This fact remains regardless of the technological implementation details.
Sure, but we don't have to aid them in their quest
>The overwhelming majority of content on the web is DRM free. These proposals do not mandate nor give any incentive for that content to be protected if it is not already.
The practical effect of being able to deliver DRM'd content to every non-technical web user, without first having to get that user to download and install your proprietary software, is just massive. This is one of the biggest falloff points in the conversion funnel, so it makes this new delivery method highly attractive. As it is now, businesses have to balance the cost of losing customers against the cost of not being able to DRM their content. Take that dilemma away and I think you certainly have a new incentive. The practical effects of this are far reaching imo.
It seems odd for HN to be in favour of making technology & content marginally less accessible simply to spite people.
Perhaps there exists a class of people who wanted to implement DRM on all of their content but were just waiting for the W3s blessing but such a class will be extremely small.
Most of the DRM you see comes from mandates from big content firms, most other people could give less of a shit.
DRM'd content isn't accessible and that's the entire problem. Adding a standardized hook for DRM modules to use creates the illusion that things got accessible that previously weren't.
Try exercising your fair-use rights on those DRM'd bits for example.
"As it is now, businesses have to balance the cost of losing customers against the cost of not being able to DRM their content. Take that dilemma away and I think you certainly have a new incentive."
And the businesses (Hollywood) with the content that Web users want have done that math and decided that DRM through plug-ins and native apps is an EXCELLENT system and they're happy to keep mandating it forever. If Plug-ins go away, as they're slowly but surely doing, then native apps will be the only place to get this content.
Hacker News types, myself included, will cringe at this truth, but most consumers don't give a shit about the Web. They care about the content the Web gives them. If the Web cannot give them the content they want, they'll get it elsewhere, probably from silo'd App Stores where things "just work."
> Hacker News types, myself included, will cringe at this truth, but most consumers don't give a shit about the Web. They care about the content the Web gives them. If the Web cannot give them the content they want, they'll get it elsewhere, probably from silo'd App Stores where things "just work."
I don't cringe at that, it's just the way it is. But I promise you no-install browser delivery of DRM'd content which "just works" is very valuable to those businesses. People grab the thing within arm's reach. Sure, if there isn't anything in arm's reach a decent amount of them will still walk across the room for what they want, but I think that's besides the point.
If the Web cannot give them the content they want, they'll get it elsewhere, probably from silo'd App Stores where things "just work."
And in this scenario (i.e., the way things are now), someone like me, who doesn't give a shit about "content" but does care about the Web itself, can still avoid DRM by not installing the plugins, not using the silo'd App Stores, etc. But if my browser is the silo'd plugin/App Store, I'm SOL. That is why all this matters: it makes DRM and all of the closed source nastiness that goes with it the default, instead of something people have to choose. I think that's a very, very bad idea.
If Digital Restrictions Management gets added to HTML5 then it makes it far easier for content hosts to add restrictions. This is a huge risk.
But more importantly the idea of HTML5 was to get rid of proprietary closed source plugins like Flash. Adding DRM to HTML5 will make it rely on proprietary closed source plugins.
I hope the W3C reconsiders. If somebody feels the need for DRM then they should implement their own stuff outside of the open web.
Browser vendors don't have to implement any DRM scheme, but they will and sites will use them. What this means in practice is that there will be 100% standards compliant, pure HTML5 websites that can only legally be rendered in specific, proprietary browsers. The stated purpose of HTML5 EME is to make it a criminal offence under the DMCA anti-circumvention clause to develop an unauthorised browser or extension that displays the protected content.
If anything this is worse than proprietary plugins because those used documented APIs that any browser could support, whereas this is integrated into the web browser itself.
If anything it's the opposite. Defining a standard interface for content decryption allows such a system to be browser agnostic. You install a module and it works in any browser which implements the spec, whether proprietary or open source.
The purpose of encryption is to secure communications between two trusted endpoints against untrusted intermediaries. Since all parties to the exchange are trusted and the intent is for both parties to have access to the data, an open source encryption system works.
DRM's purpose is similar, but one of the endpoints is in the physical control of an untrusted entity: you. Since the point of DRM is to prevent the user at one of the endpoints from accessing the data, if you have the source and keys to the destination endpoint (e.g. TPM, HDCP-enabled GPU), the endpoint can't be trusted, you can get the data, and the DRM fails at its purpose.
But there's nothing compelling plugin developers to support all OS/browser combinations, so no, in practice it likely won't be OS-agnostic.
This scheme basically just creates a special class of plugins; these plugins clearly won't be OS-agnostic, because they can't -- that's the whole point of the exercise: to restrict playback to devices that are fully authorised/controlled from top to bottom, with the browser piping streams from the web to trusted plugins running on trusted OSes using trusted hardware (TPM etc).
Isn't this the same with all software? There is never anything mandating that anybody supports your OS or browser of choice.
If I want to watch netflix or play GTA5 on my haiku box I'm SOL as it is unless there is a business case to be made for doing the port.
This actually makes things easier. For example netflix currently uses silverlight for their streaming, this means that in order to watch netflix you need something that supports the entire silverlight stack.
With this proposal all you need is modern browser and a compatible CDM which is a much smaller chunk of code.
Much smaller, I don't think. It will still have to grab the screen and render directly onto it. It's basically the same thing a regular plugin would do except a little bit of identity validation, from what I understand.
Technically speaking it's almost the same as the status quo, but a little bit of DRM principles have now been enshrined in the foundations of our web. Depending on what your view of DRM is, of course, this is good news or bad news; but from a technical point of view, it changes very, very little.
Indeed, this changes nothing technically. But what it does is harm the idea that standards should promote the the open web. You may or may not agree to this idea of course.
It's not the same because HTML5 EME is designed to ensure anyone who manages to get media working on unauthorized platforms can be arrested under the anti-circumvention provisions of the DMCA and other similar laws. As in, this was actually one of the stated requirements.
Unless they've changed it since I looked, the only interface the HTML5 EME specification defines is the one between the website and the browser. There is no standardized interface between browsers and DRM modules, nor is there any requirement browsers support external content decryption modules. For example, last I heard IE was only going to support a built-in implementation of Microsoft's PlayReady which isn't available to anyone else.
In fact it's not clear that anyone can use a standardized, open API for decryption modules and meet content providers' security demands. While some of them were historically willing to use Flash which did use standard browser APIs, they've taken this as an opportunity to demand more.
It looks like the idea is to implement a system where encrypted content is passed to the browser. The key is then sent through the browser to the CDM, the CDM can take the content and hand back decrypted frames.
It's entirely possible for content vendors to support multiple CDMs for different browser or OS combinations. The advantage of this is that the CDM is a smaller dependency than something like silverlight, so you can have a standard HTML5 video player interface across platforms and just swap out CDMs.
That won't work. If the restrictions module simply hands back the decrypted data then you could just change the browser to dump the data on your disk.
The only way it will work is if the restrictions module handles everything from decryption, decoding, to rendering. Probably even using a hardware DRM scheme and preventing any interaction of the video data with the JavaScript or any other website elements.
If you read the spec: "The Content Decryption Module (CDM) is a generic term for a part of or add-on to the user agent that provides functionality for one or more Key Systems. Implementations may or may not separate the implementations of CDMs and may or may not treat them as separate from the user agent."
So the CDM isn't necessarily seperate from the browser itself - that's left totally as an implementation decision, and at least one widespread implementation (IE11) is integrating the CDM tightly into the browser. Also, even if the CDM is seperate it can render frames directly to the screen without passing through the browser. In particular, note that:
"Where media rendering is not performed by the UA, for example in the case of a hardware protected media pipeline, then the full set of HTML rendering capabilities, for example CSS Transforms, may not be available. One likely restriction is that video media may be constrained to appear only in rectangular regions with sides parallel to the edges of the window and with normal orientation."
So basically, just like with existing plugins, encrypted content is an opaque rectangle plonked on top of the web page that's not part of the browser's normal rendering pathway.
We've already got Silverlight, Flash, Java, so on and so forth... denying DRM entry to HTML won't stop DRM web content, and allowing it might just make the experience less miserable.
It will make it more miserable, because EME is not a standard DRM, it's a plug-in interface for launching browser-specific/vendor-specific DRM plug-ins. DRM plug-ins are allowed to do whatever they want, and proponents at W3C want to completely bypass the browser and have DRM all the way from TPM to HDCP.
Makers of Flash and Silverlight were a 3rd party in the DRM battle. They had to worry about their plugins' marketshare and could not implement too user-hostile DRM. They had to balance pleasing media corporations and users.
Now there won't be anything stopping MPAA's CEOs wet dreams running in your OS's kernel. Media corps have Netflix and Google (Play Store) in their pockets and can force them to ship all kinds of nastiness — under W3C's brand name.
The WHATWG are in control of the W3C's agenda. The corporate members of the WHATWG are the ones pushing for Web DRM. Oh, not the individuals necessarily. They might be opposed to it.
But they're just voices in a large game: Microsoft and Google are co-editors with Netflix of the new DRM spec.
The problem is MPAA & friends will already see this as an "entitlement" and say those other browsers are "facilitating piracy", while the major ones from Google, Microsoft and Apple aren't. Something like that will sound very good to government and authorities.
I really think allowing this to happen in the first place is just like opening the Pandora box. You give these guys an inch, they never stop demanding for more censorship.
Read the spec. This wouldn't work, specifically because EME is a set of interfaces to proprietary blobs which do the actual content decryption and optional rendering.
Building a browser that ignores EME would be functionally equivalent to building a browser that can't use Flash.
A browser can save the data after it's been rendered.
A DRM plugin can't tell the difference between an "approved" browser that doesn't do that versus a modified browser that just pretends to be an approved browser.
Yes, and the underlying platform (OS) can cooperate with the browser to allow easy one-click saving of the rendered data after it's been rendered. Unless the whole stack from hardware through to the DRM plugin is locked down.
Certainly, but that's always true of every non-trusted computing platform. You can do that with Flash or Silverlight or any other video DRM system today. I rather suspect it's a very big part of the reason that CDMs don't get published for Linux, because it would be trivial to modify the system to just jack the content on its way out to the display.
> Unless the whole stack from hardware through to the DRM plugin is locked down.
Which is why you have TPM and the various Microsoft/Apple/Google DRM schemes: Hollywood wants to lock down the full stack, and they're getting there one piece at the time.
For TPM, their enabler was Microsoft and their desire to lock down the boot process to enforce licensing. For this spec, it's Google and Netflix because they think it's the only way their media services will survive in the long run.
Insert here smart quote about expert frog-boiling.
Yeah, sure. Some sort of somewhat effective anti digital copying mechanism is a great way to enable video rentals on general purpose computers (especially given the pervasive copyright regime of modern video content).
There are issues to come when consumers only have access to encumbered media, but at the moment, they pretty clearly benefit from the access.
Distributors may not be happy once they discover that Safari supports FairPlay DRM, Chrome supports Widevine DRM, IE supports WMDRM, Samsung phones support SamDRM, HTC phones couldn't afford to license any DRM, etc.
Yeah. Also, there's no requirement for the different DRM schemes to support the same codecs or containers or encryption schemes, so potentially they'll have to re-encode all their content for each scheme. It's actually less standardized than pay TV encryption believe it or not!
Edit: The interface between the DRM servers and your backend code isn't standardized either, so content providers still have to do a bunch of DRM-scheme-specific development work. Basically, they standardized just enough to allow sites with DRM to claim they're 100% HTML5, it barely improves interoperability at all.
Funny how some of the largest sites on the internet can base their entire business model on stolen pictorial content - completely with stripping off the identifying information of the original artists - and nobody at the W3C bats an eye.
But the moment the MPAA muscles their way into the debate, suddenly we're all about DRM.
If you want DRM, you use a plug-in or a separate application. There's no reason that an app like Netflix or whatever can't use pure-HTML for everything but the video-stream and use a plug-in based object for the stream.
>If you want DRM, you use a plug-in or a separate application. There's no reason that an app like Netflix or whatever can't use pure-HTML for everything but the video-stream and use a plug-in based object for the stream.
And I seriously doubt with EME that it will change this way. I work for a media company, Flash is used not just for its DRM but because our ad vendors don't care about HTML5 support. It's why we can't move forward with HTML5 outside of mobile.
I think that many people are drastically underestimating the effect this may have on the open web. The response "oh, well we'll just build a browser that will avoid the DRM" isn't going to work quite as well as one might hope. It's not such a stretch of the imagination that content providers will detect such browsers and refuse to supply any content at all. This would be similar to what many sites do now for users of IE6-8, where a message is displayed prompting them to upgrade. Except in this case a message would be displayed telling you to download an effectively locked-down browser. Ugh.
Impossible, browser detection is easily spoofed. Some browsers come built with the ability to spoof other browsers since its valuable for developers who need to test how their sites appear in other browsers.
This will have precisely zero effect on the open web (whatever that is).
Amazing number of commenters fail to realise that:
a) nothing that makes web open is removed. Sorry to disappoint you, but HTML will keep working as it did.
b) technology not being w3c standard does not stop it from being implemented in browsers as history shows.
In the end what browser vendors do matters the most, not what w3c thinks. Just look at the history of WHATWG.
Can someone PLEASE explain to me the following: If my computer is playing the video and playing the audio. How on God's green earth can they stop me from capturing that? ... It's playing right in front of me... I can hear and see it. It's not hidden or secret. Look.
If you ask me, the only reason DRM has worked up to now, is because code/file formats/protocols were secret. People didn't have access to the source. But now they do, in the open source browsers.
Imagine a browser refuse playback video or audio clip based on Cinavia DRM plugin, and also a website requiring such plugin -- via the DRM API -- to provide any content.
From that link: "When media with the watermark is played back on a system with Cinavia detection, its firmware will detect the watermark and check that the device on which it is being played is authorized for that watermark."
So I just make a media player that ignores the watermark, based on the open source code I found in the browser... DRM hacked.
If it's encrypted all the way to the hardware, then it get's a bit more believable. But that really can't be done on the web, can it? "You no have DRM chip? No tubez for you!"
Come to think of it, in theory the Raspberry Pi could support a DRM scheme that's entirely "open source" in the same way that their graphics drivers are already. Basically, the GPU is actually a fairly powerful processor running a binary blob that receives messages from the ARM CPU - if it did all the decryption the CPU-side code could be entirely open.
I can't watch my Netflix account on Linux without using some Wine distribution because of the Silverlight DRM. I'd say I feel pretty punished on that end.
The analog hole will always exist. But please understand: it's ANALOG hole.
Ten years from now (I know it will happen by then; probably sooner), if I grab my Apple smartphone and press "record video" and point it at a piece of DRM-protected content playing on my computer, it will not record. Will not record. There will just be a black spot in your recording. The recording audio will cut out as well, if an audio watermark is detected.
It's an ANALOG hole. Film cameras will always be able to record your screen. Cassette recorders will work fine. But your digital equipment? No.
The W3C hasn't been a good "guardian" of HTML for a very long time. This is pretty much why they're not even the only guardian around - there's also WHATWG.
For example, 12 years ago W3C attempting to push "RAND" patent licensing into HTML:
This was 100% against the concept of a free, open web, and it took a huge effort to stop it happening. It's crazy that it even got that far.
So it's no surprise that they're pushing industry interests again today. I lost all confidence in that group safeguarding HTML a long time ago, and it looks like the they haven't changed.
It would be great if anyone opposed to this would contact an organization on this list, ask them why they're endorsing and funding DRM and the end of the free Web, and if not, when they will be resigning from the W3C.
Every name you can get stricken from the list is up to around $70,000 per year defunded from what is now most effective driver of DRM in the world. [1] Getting some public statements from the membership would be educational, if nothing else.
I don't understand why everyone is up in arms about this. Some content cannot go anywhere without DRM. That's not going to change. Do you think the Universal is just 6 months away from streaming the latest blockbuster with VP8 in a video tag?
Right now we have Flash and Silverlight everywhere and it's a PITA. How open are those two? This adds the option of moving this stuff out of plugins. If you want to live in some everything-is-free utopia, just never visit netflix.com.
There's a difference between a closed plugin and a closed browser. Let the DRM content stay in their plugins in their paywalled sites, while the web in general remains open and benefits from the creativity and innovation that flows from that openness.
If it's open source, I can just swoop in, inject some code and make a copy of the decrypted data stream for 'archival purposes'. Won't take a day for a PoC.
I can still do this with closed source DRM blobs, but it will take much longer. And there will probably be pointless anti-debugger tricks, system wide hooks that break countless other software, kernel drivers that BSoD your system..
That is precisely why this proposal is such a terrible idea. It writes into a standard that it is okay to produce software that is actively hostile to its user, while having absolutely no security gain whatsoever (because the concept is fundamentally broken: if the data is being decrypted on my system, I will get it).
Yes, that is my point. That is why any DRM plugin will be closed-source and probably filled with landmines and obfuscation: its the only sliver of a chance they have to make getting the unencrypted data hard.
Why should we care? The web is not supposed to restrict users. If Universal does not like it, they can go somewhere else -- they have the cable TV system with all its restrictions and anti-freedom design.
No, the web is all about restricting users. It's baked into several HTTP error codes (403 and 401 off the top of my head). SSL is also rather popular.
I assume you mean that the browser shouldn't restrict users? Like, if I stream a movie from Netflix, I should be able to also save it locally so I can take parts of it to use in my fair use arts project? Sorry. Never going to happen. Forcing this use case that _people want_ off into plugins isn't going to make anything more "free".
That's like selling a Roku box that can only play Ted and Youtube videos and saying that it's better because it's totally free, and open, and doesn't restrict its users. Well, sure, that is the best kind of correct. But only because you yanked everything that wasn't free. You didn't actually add any value over the standard Roku box that plays Netflix and Amazon.
> No, the web is all about restricting users. It's baked into several HTTP error codes (403 and 401 off the top of my head). SSL is also rather popular.
This is obtuse. The HTTP and HTML specs provide standards for interoperation. Some modes of operation are forbidden for some users, and the specification provides a way for that to be communicated. It sounds like you're taking a whole-system approach to freedom, which is certainly valid (see the AGPL for a "free" response). But it's orthogonal to the issue at hand, which is interoperability. Any client can still implement the specification.
That said, I'm completely at a loss as to how you believe SSL "restricts users".
> I assume you mean that the browser shouldn't restrict users? Like, if I stream a movie from Netflix, I should be able to also save it locally so I can take parts of it to use in my fair use arts project?
The browser should implement an interoperable standard. That standard should be accessible to everyone. Any browser vendor should be able to, once they have properly implemented the specification, stream a movie from Netflix (this is the very thing that EME makes impossible).
> Sorry. Never going to happen. Forcing this use case that _people want_ off into plugins isn't going to make anything more "free".
This does not have to be reality, no matter what vendors say. There's a reason digital restriction management was forced out of the music space: it's ineffective, it's consumer-hostile, and it hinders innovation. Many of us are mad precisely because the vendors played hardball in their negotiations, and the W3C wimped out. Vendors need the web more than the web needs the vendors, but the W3C didn't take an equally hard line back and we're left with a decision that screws everyone but media companies.
> That's like selling a Roku box that can only play Ted and Youtube videos and saying that it's better because it's totally free, and open, and doesn't restrict its users. Well, sure, that is the best kind of correct. But only because you yanked everything that wasn't free. You didn't actually add any value over the standard Roku box that plays Netflix and Amazon.
The problem is, this decision hinders innovation. It is now much harder for a Roku competitor to exist, because before they can get off the ground they have to comply with byzantine demands of old media companies. "totally free, and open, and doesn't restrict its users" is the future of communication and computing (at least technically, politically is a different story). This decision is mired in the past.
Let's circle back to this:
> Forcing this use case that _people want_ off into plugins isn't going to make anything more "free".
This is exactly what EME does. The digital restriction management "extensions" are plugins. They are binary blobs, tied to specific hardware implementations. This regresses the web back to the "best viewed on Windows in IE 2.3" days, where interoperation is dead and cross-platform compatibility is a hippy dream.
And that's why people are mad at the W3C for no longer representing what the web is supposed to be.
I don't believe that. Music industry said the same thing, no one supported DRM and now music is DRM free. It was only a matter time before Netflix/Amazon Prime/Hulu went DRM free.
The movie/television industry wasn't crippled piracy, and most likely will never be. These guys print money and it seems they will print money for time to come, and Netflix/Prime/Hulu generates pennies compared to the TV/Movie industries billions.
Simply put, the movie/television is much more diverse than the music industry and won't see its lunch eaten.
The biggest hurdle in getting DRM content in the contract games that are being played with all the major providers right now (remember the TWC/CBS dispute). In these contracts are clauses for all content to be DRM'd. Even if everyone understood that DRM is bad UX, no one gives a shit about fighting those clauses when TWC is removing CBS over contract disputes. It just currently doesn't make sense to risk hundreds of millions of dollars for a moral issue that 99% of users simply don't care about.
> Do you think the Universal is just 6 months away from streaming the latest blockbuster with VP8 in a video tag?
They should be. Because I'm going to continue getting my DRM free video from the Pirate Bay until they do. They might have a chance at revenue if they'd just get over themselves. Dinosaurs.
HTML5 DRM video makes sense, and it might force content producers to modernise their distribution methods. This would be nice for consumers, many of who are forced to pirate simply because content isn't available in their country or don't have cable subscriptions.
It won't stop piracy, even if it means holding a camera up to the screen to capture the data.
However locking down the browser itself is simply ridiculous. it reminds me of snopes.com disabling right click.
I don't get it. If they want a plugin, they should build a plugin. Why would any sane person (1) create redundant infrastructure for DRM plugins (2) get all the same security problems and more just because some hipsters at Netflix get a hardon when they can't use HTML5 video tags and have to embed a plugin? We certainly shouldn't offload Netflixs woes with content producers onto every browser maker in existence.
What a bizarre discussion. Should have been laughed out from the first proposal.
This could have really huge and ugly long term consequences for search engines.
OTOH, with a little help from the OS to guard the path through to the HDMI spigot (which is probably already in place) I may be able to see all my Amazon Instant Prime content via my browser in HD. :-)
There's an upside to the downside. Some things will be closed by this and some things will be opened. The impact on the non-pirating media consumer will mostly be positive.
The impact on the cable companies and other parasitic channels through which content must now pass will, to our benefit, be negative since content producers will need them for nothing to maximize the returns on their investment. Many hands that dip into the revenue stream between the producer and the consumer to merely protect the stream can be easily eliminated. The same is true of all the various music channels from the labels through iTunes to Spotify.
I like this because artists and producers will be able to negotiate with us directly which will lower the cost and the motivation to pirate. I'm all for artists and producers making money on their work, but not all the various middle men this can remove from the picture.
I'm very concerned, however, about the possibly negative effect on things other than media content like the general flow of news and information. Any item of information can now easily carry a price for internet access independent of the channels through which it moves.
Wow. This isn't just adapting DRM, they're literally saying that they can change the HTML5 standard at a whim and we'll only have access to the CC0 licensed spec.
isnt this the equivalent of greying out the "view source" menu item or removing the developer menu item?
You can still get the entire page, it comes in over the wire. If they do this, I would assume we can just capture the raw data, and new apps that decode that raw data and give the same tools as the browser developer tools offer.
If not, hopefully there are browsers who refuse to implement, and hopefully it takes less time than it took Adobe to learn their lesson.
This is poison and against everything the W3C is set to do according to their own mission statement.
Everything we've spent the last 20 years building and standardising. Now ruined. Tainted.
They have now lost all legitimacy among anyone who calls themselves a proponent of the open web. We need a new leadership as the old one can't be trusted. We need an open web action group to start over.
Thanks for fragmenting the web, W3C. Thanks for nothing, assholes.
The W3C was always a pay-for-play organization led by corporate interests. The full time staff of the W3C were MIT academics trying to foster conversation so that the openness of the web could be preserved among the reality that most funding for browsers was between competitors looking to make a buck. It took enormous pressure and nearly a decade (1994-2004) to foster web standards to the competent mediocrity they are today.
The WHATWG only solidified the corporate interests, by making browser makers The Only Ones Who Matter: Google (who also funds Mozilla), Microsoft, and Apple.
You can claim you want new leadership, but who has the credibility and legitimacy you claim has been lost? Students? Government workers? All competent engineers are working for for-profit companies (or are funded by them) that want to monetize your eyeballs. You could look to academia and government-funding, I suppose, like the original web. But the web is here, now. It's likely not going to be replaced.
313 comments
[ 6.7 ms ] story [ 276 ms ] threadAre the people pushing for this hoping it's just too much hassle?
These questions aren't rhetorical: I'm interested in what exactly the DRM people are pushing and how they expect it to work. Just not interested enough to read about it myself :D. (Also, I think this makes for a great conversation topic.)
I'm quite surprised to see Tim Berners-Lee approve this in fact, I wonder what made him say yes to this.
With this standardized, we will continue to be legally and/or practically blocked from native consumption of protected content on general purpose GNU/Linux distributions.
DRM just makes lawyers happy. I say, let them eat cake.
Probably with a client-side file (or binary?) that gets delivered to the browser from the server and accessed locally in a sandboxed environment. This handles keys, auth, etc natively with the browser. This might be seamless to the end user.
Probably easily crackable like, say SteamWorks, but good enough to keep low-hanging fruit safe and copyright holders happy as we begin to retire flash entirely. Joe User won't be able to 'right-click and saveas' but he'll be able to view HTML5 video.
I think TBL is stuck between a rock and a hard place, just like Gabe Newell was with Steam. Users hate DRM, but he can't sell games without it. Some crowd-happy DRM scheme that's unobtrusive might be the only winning move here.
Hence a browser developer or OS developer or developer of whatever software is in question wouldn't be permitted (by the DRM system's inventor or administrator) to get decryption keys if they didn't promise to implement these restrictions.
Some of the people who invented the modern DRM business ecology called this "the intersection of technology, law, and commercial licensing" (the title of a 1996 article by Dean Marks and Bruce Turnbull). Here, the "technology" is DRM implementations -- including software obfuscation and other measures; the "law" is anticircumvention laws like the DMCA §1201 that make it risky for people to use the decryption keys in ways that industry dislikes; and "commercial licensing" is the permission from a DRM developer to interoperate with that DRM, including "compliance" rules (about the functionality of the technology product) and "robustness" rules (about tamper-resistance), that result in the licensee being issued decryption keys.
In my view (I worked on EFF's objection) this is a deliberate attack on software interoperability: the whole point is to allow someone to try to prevent interoperability with software that hasn't been "approved". And it's also in extreme tension with the idea of having browsers that end-users can modify (their individual instances of).
If a proper open source system has a component that enforces DRM, and is functional when I download it, then it includes those keys; but gives me an unconditional right to use and modify it. And I am physically able to modify it, un-implementing those restrictions.
If part of the system cannot be modified by me, then the whole is not open source, and any open source system such as Firefox shouldn't include that part or standard.
"Open Source" definition does not include any clauses that require hardware manufacturers to provide you encryption and/or signing keys, so you could run your code. GPLv3 and "Free Software" are what you're looking for.
As I said in another comment, people who usually say "free software" are more likely to think that preventing restrictive downstream products is an important goal than people who usually say "open source". But that doesn't mean it's part of the definition of what it means to be free software.
EDIT: I also think the comment the parent replied to was right to say "then the whole is not open source". BusyBox is both free and open source even though its license allows it to be included in the locked-down TiVo -- but the TiVo as a whole is not open source.
This issue reflects the way that people have had very different ideas about what the point or purpose of free and open source software is (in some ways, reflecting the split between people who preferred to say "free software" over "open source" and vice versa).
It's also a very concrete issue today in whether people call, say, the Chrome browser "open source". Most of their source code is downloadable, derived from the fully open-source Chromium project, but in Google's current practice, users never get the complete source code to the Chrome binaries that they run. If you're focused on the development process, it might almost make sense to call Chrome "open source" because almost all of its source code is distributed, licensed, and developed in an open source manner -- but if you're focused on what users can do with the software, it's obviously just a proprietary application (with a proprietary EULA, to boot).
Of course, if you do that you may as well just not release the source code at all, because there's no way for the user to tell that the binary does actually correspond to the source without also being able to extract the encryption key and break the DRM.
Some people think that publishing source code is first and foremost a way to get other people to collaborate on its development, not to ensure any particular rights or knowledge or safety for people who end up using the software. For example, you could imagine a consortium of people who each make a super-proprietary locked-down thing and they publish and collaborate on the code of some libraries that their respective locked-down things need. They actively do want other locked-down thing makers to comment on how to make the code better and contribute patches, but they actively don't want customers to use that knowledge to make the thing less locked-down (or to be able to verify what it does or doesn't do).
This is a situation that we often encounter in the real world, and in fact some of the locked-down thing makers are even surprised when people say the contrast in their behavior with respect to these audiences is strange or hypocritical, because they didn't know or didn't remember that other people think software freedom is partly or mainly meant to benefit users.
That's why they have to obfuscate things at the code level too.
So would you say that firefox is open source now? If they implement this as a plugin, what makes it technically different from using Flash?
Excellent!
"A Web where you cannot cut and paste text; where your browser can't "Save As..." an image; where the "allowed" uses of saved files are monitored beyond the browser; where JavaScript is sealed away in opaque tombs; and maybe even where we can no longer effectively "View Source" on some sites, is a very different Web from the one we have today. It's a Web where user agents—browsers—must navigate a nest of enforced duties every time they visit a page. It's a place where the next Tim Berners-Lee or Mozilla, if they were building a new browser from scratch, couldn't just look up the details of all the "Web" technologies. They'd have to negotiate and sign compliance agreements with a raft of DRM providers just to be fully standards-compliant and interoperable."
They suggest the W3C may be digging itself into another hole like the one that led to the formation of WHATWG. A good read.
[1] https://www.eff.org/deeplinks/2013/10/lowering-your-standard...
I dislike DRM as much as the next person, but if it's implemented reasonably (think Steam or Netflix), then many consumers are willing to deal with it. EME was what enabled Netflix on ARM-based Chromebooks, for example; and I prefer EME to not being able to legally access media at all.
In other words, you are willing to give up freedom to get--what, exactly? Movies? Music? Eye candy?
I confess I simply can't understand this point of view. People are willing to hand over the Internet to DRM and the media corporations because they can't live without the "entertainment" that Hollywood provides? People are willing to have their computers pwned just so they can watch Netflix? That appalls me.
EME is not new. There are already devices shipping with implementations, like mine. If EME is standardized, what it means for me is that there's a chance that my device will work with all DRMed content I want to access, and not on a per-service basis.
We're not talking about giving "big bad media companies" full control of the Ring 0 Hypervisor; I am still perfectly capable of flipping the virtual developer switch on my device and booting a pure version of Linux at any time. If I buy a device ships like that, I hope that future me will have the good sense to return it to the store.
Yes. Why? (I don't have a Chromebook, and don't use Chrome OS, for this very reason.)
It is certainly the case that several individuals editing specs under the WHATWG banner have set out their opposition to DRM. It seems unlikely that Hixie will include it the HTML spec he edits unless, of course, we end up with something implemented in browsers that is both interoperable and open. Since "open" rather defeats the point of DRM, it's difficult to imagine that happening, however.
https://dvcs.w3.org/hg/html-media/raw-file/tip/encrypted-med...
Chrome and IE are the ones pushing this - so yes, the opinion of browser makers matter, but sadly the 2 biggest ones, Google and Microsoft, do not just support EME but are the ones driving it.
It's a tragic comedy that everyone's yelling at the W3C for losing their way yet again... the WHATWG, weren't they great. Yet the WHATWG is basically a proxy for Google, Apple and Microsoft. And they have driven the W3C agenda for a long while.
When you repeatedly shit on the hippies, academics, and non-browser makers that had more sway in the past at the W3C, and replace them by corporate browser makers, you weaken the antibodies that were in place. The WHATWG's presence has marginalizing other voices within the W3C and forced it to listen to its primary members - i.e. corporate, pay-to-play ones.
http://www.gnu.org/philosophy/right-to-read.html
I may be totally naive here, but I'm not really sure why this matters. That there is a WC3 standard does not imply that browsers have to adhere to it. If they didn't they simply wouldn't be able to access DRM protected content. From a UX perspective this seems no different from Netflix putting their content behind a login. Maybe I am being an idiot, if so please correct me, but this doesn't really seem like anything to worry about. The threats implied by EFF, that massive corporations will control content on the internet, seems only true for content published by those massive corporations (and thus are already happening now, with 3rd party DRM ie: Netflix's Silverlight player). It doesn't stop people from publishing non DRM protected content.
I would agree this doesn't belong in the spec on technical level, but it seems to be inclusive not exclusive.
But we do, and so just as you say there are "legitimate reasons" why someone may wish to save a video, there are too "legitimate reasons" someone may want to share their work in a protected manner. It's a product. If you don't like it don't buy it.
There is no part of this that forces the user to view only DRM protected websites. As far as I can tell this only increases the rights of copyright holders, which, again, I think is stupid, but seems completely legal and a reasonable thing to do under our existing legal framework. Edit: it also does not seem like it will fundamentally change the user experience of the web since the things that it allows are mostly already doable, just not with an HTML standard.
The idea was that HTML5 gets rid of Flash and similar plugins and not that HTML5 turns into a vehicle for "yet another Flash".
Next thing we are adding a spy module feature because advertisers and the NSA demand it? Well at least the spy module could be free software unlike the proprietary closed source binary blobs needed for Digital Restrictions Management.
Edit: I'm obviously not serious.
Google copying Yahoo's front page code? Okay, that'll be in the news and everyone will have a good laugh.
Some Joe Schmoe Web Developer lifting CSS/HTML from an unknown client to sell to an unknown client? Eh, not so much. This probably happens often and goes undetected.
To your question, is it "ok," I couldn't provide the answer as I don't own the copyright.
My statement was that I wish we lived in a world without copyright. The rules would be very different, and thus we would act and compete differently. As is, brand is an important asset for a company. I think you know all this.
I also think your argument is a bit sophomoric and I find it obnoxious that you are calling out my employer's name.
Or are you also advocating for changes to trademark law?
http://www.gnu.org/philosophy/not-ipr.html
This TED talk explains it quite well : http://www.ted.com/talks/johanna_blakley_lessons_from_fashio...
Although it seems the word "copyright" is also a bit of doublespeak these days. In general it doesn't go out of its way to give authors the right to control how publishers distribute copies any more, it's been co-opted as a system for publishers to deny every individual the the ability to make their own copies for any reason. If you ask me they should call it a copy-block instead of a copy-right.
IMO, this is a very dumb approach. This would not be OK anywhere else. Feel free to enforce your copyright, but don't expect me to bear your burden without kicking and screaming.
All they can take away is the sources that actually bring them money.
The web's success has been extraordinary in the same terms of any monumental human achievement -- the discovery of anti-biotics, the moon landing, the Magna Carta.
Why would we cripple that set of features just to make a tiny group of people happy (relative to the world's population, the copyright "special interest" cartel is indeed microscopic.)
And I thought web sites screwing up keyboard shortcuts was annoying..
At least they were.
I completely disagree. You are the guardian. Every one of us is the guardian.
"Guarding the web" isn't in the W3C's mission at all: http://www.w3.org/Consortium/mission.html They design standards used internationally. That's it.
1 - We'll lose the W3C. We'll have to either create another standards body, or go back to the 90's situation when nobody agreed on anything.
2 - There are a few places where actualy reading the data somebody sent to you is a crime. Despite the drawbacks on those kinds of law, some of those places are still very importantly economically, and we can't just ignore them, at least for now. If you create a code for "don't read this data" to be sent over the web, disobeying it will become a crime there.
2. Yes, like in the United States. Just like receiving stolen goods is a crime. No offense, but when you say things like "If you create a code for "don't read this data" to be sent over the web, disobeying it will become a crime there." I don't think you fully understand how DRM currently works and how it would work using this standard. It is simply a standard people can implement.
Edit: as some of you have pointed out, the phrase "copyright-compliant" is somewhat meaningless. I should've chosen my words more carefully. I meant "copyright-enforcement-enabling."
No, what he means is that, if we stop listening to the W3C because of this, the W3C will no longer matter. So either we won't have a standards body, or we will need a new one.
Conversely, there are countless features introduced by Browser Vendors that do not exist in the W3C's specs. (And some of those are even eventually picked up by the W3c.)
I honestly don't think people understand how the Standards Body's work, and how their specs propagate into actual products that people use on a daily basis.
Many companies have cherry-picked what to implement and what not to. This is not new. If anything, it's the norm. Vendors will continue to do this as long as the W3C will exist, and can continue to do so in this case, without destroying the W3C or making it an invalid body.
This particular argument is totally bunk.
You wrote:
"I may be totally naive here, but I'm not really sure why this matters. That there is a WC3 standard does not imply that browsers have to adhere to it." - https://news.ycombinator.com/item?id=6491428
marcosdumay is responding to that by saying "It matters because ..."
And how many people will use it, apart from outliers like people who post here? The vast majority of people use one of the Big Three: Firefox, Internet Exploder [no, that's not a typo ;)], and Chrome.
Furthermore, if the Big Three implement a DRM standard, then web pages that want to "protect their content" will simply use the DRM standard, and it won't matter that Joe's Really Cool Browser doesn't implement it; that browser simply won't be able to view the pages. A few outliers like us will rant and rave; anyone else who tries it will say "Joe's Really Cool Browser Sucks" and go back to using one of the Big Three.
This is not about making a copyright-friendly web. This is about attacking the openness of the web.
Browsers have plug-in architectures. DRM systems are inherently proprietary. Leave them to implement proprietary plug-ins.
In reality though these control freak moves only "work" (for them) if everybody is forced to adopt. Another site another plugin type situation will shift a lot of people to non-drm content providers, whether on principle or maybe just plain old apathy. I'm sure browser makers could streamline this process so that it's a minimal hurdle to install a plugin but if it's optional then we have the option to avoid it and that is exactly what those goddamn morons would like to stop.
We already lost the W3C once for about 10 years. Remember XHTML and XHTML2? Those, and a bunch of special purpose not particularly interesting niche XML standards (P3P? XML-FO?) were pretty much all they worked on for a decade or so. It wasn't until the WHATWG was formed by some browser vendors who wanted to start working on a standard for features that users would actually want, rather than what architecture astronauts thought would be a nice design, and the W3C realized that's what people were actually interested in and so replaced XHTML2 with HTML5 based on the WHATWG spec that they actually became relevant again.
Now, I will have to give credit that there were still a few groups at the W3C doing work relevant to the actual open web, such as SVG and CSS. But given how the WHATWG took over work on the HTML standard and actually did work towards a standard that was useful and relevant to browser vendors when the W3C went off the rails the last time means that I'm not too worried if it goes off the rails again this time, you can always form another standards body if it becomes irrelevant. You just need to be sure to recognize this early on, so you don't waste too much time and effort waiting for the W3C to get its act together again.
So, with XHTML, the main thing is that people just wanted their web pages to work like they always had; they didn't want to deal with adding slashes to make their web pages XML and strict parsers and whatnot.
But with P3P, what people want is Netflix and Rdio on all their devices (such as ARM-based Samsung Chromebooks).
Frankly, I prefer the sound of standardized DRM to everyone rolling their own ala the 90s; with any luck it'll mean fewer formats/keys that need to be reverse engineered and whatnot.
Second, none of the proposals for EME that I've seen actually address the issue of being able to play the same content across devices. They aren't a standardized DRM scheme; they are merely hooks for proprietary DRM schemes, essentially a way to allow proprietary DRM schemes to hook into the HTML5 media player rather than having to use the plugin interface and implement the media player in Flash or Silverlight. It's basically just a plugin API for plugins that provide only DRM, leaving the rest up to the browser.
Don't think that this is meant to actually increase interoperability; a large portion of the "value" of DRM, for those who promote it, it the ability to have various lucrative exclusive contracts with particular cable networks, hardware vendors, and so on. You're just going to see more "Live NFL - a Samsung exclusive!", not actually be able to get Netflix on any device you want.
If it worked across any device, then it would need to work on open devices as well, but of course if the device is open you can bypass the DRM. So it's always going to be based on licenses, that only certain vendors can get if they promise to implement DRM securely and not give users full access to their own devices.
Exactly: its a specification for a constrained plugin API focussed DRM, so that browsers don't have to either maintain a common general purpose plugin API (e.g., NPAPI) or, alternatively, have browser-specific APIs in order to meet content-owners demand for a DRM-supporting delivery channel.
I agree with the rest of what you've said, but I don't think the typical end-user worries about "openness" until it's too late.
That's an awesome term for something I never quite had a word for.
http://www.joelonsoftware.com/articles/fog0000000018.html
What the hell are they even talking about here? Since when has ANY browser been "Fully, 100% W3C Compliant"?? Answer: None. Ever. Seriously.
There are rafts of non-compliant features, both legacy and newly introduced, in every single one of the most popular modern web browsers. (Even Opera!!) Certainly, with the last decade of popular support pushing Browser Vendors towards W3C compliance, the web has been more standards-based than ever before.
But this is just a silly argument. I agree with the political aim of the EFF here. But let's not just invent things or misrepresent things. It makes them lose credibility in my eyes.
If you want to implement a DRM binary blob with EME, you're going to have to negotiate a compliance contract of some kind with the DRM vendor, probably connected to some hook IP. (See http://en.wikipedia.org/wiki/Compliance_and_Robustness )
Pretty much like Firefox and IE6 activeX sites, or iPhones / android and flash. DRM simply restricts playback devices.
It's the equivalent of standardizing the object or embed tags: it's a standard way of getting at non-standard functionality, and sites then depend on specific implementations of that non-standard functionality, the same way they depend on the Flash plugin today in ways that knowing how to implement the object tag doesn't help with.
Standardizing a single fully-specified mechanism for DRM might actually be useful (debatably), but that would break the current model in which DRM is completely unsound and relies on security-through-obscurity. "Standardizing" a means of getting at the myriad non-standard DRM implementations and their non-standard APIs is worse than worthless: it's actively harmful, and it prolongs the death of those technologies.
Right now, content providers have to choose whether to support the open web or DRM. They should continue to have to make that choice, with supporters of the open web reaching a larger audience, until eventually all the holdouts either switch or lose. This is a major step backward for that goal, and the W3C has no business claiming EME has anything to do with the open web.
That depends on where you think UX ends. That login will work fine from within an open source browser and/or OS you compiled (and possibly wrote or tweaked) yourself.
I haven't read the article, but if that DRM works, it wouldn't run in your browser on your OS, as content providers would not trust them. Chances are that your Chrome, Firefox, or Safari extensions wouldn't even work with the DRM (at best, they would get disabled on protected (from you) pages.)
What this standard actually specifies however, is only that the browser will respond to a certain tag by looking for some proprietary-ware to play whatever audio and/or video someone wants to restrict.
This is a disappointing move on the part of w3c, because it lends some air of legitimacy to DRM, and because it revives the otherwise dying plugin system under a new name. But it doesn't actually force DRM on anyone or restrict the ability to do anything on the web.
The best case would be that users are unwilling to install the black-box-ware in order to see videos or whatever, and the feature is little used and the copyright exploiters have to either unlock the content or go away with it. None of which would be bad.
The W3 proposals suggested do not in fact mandate browser vendors implement any DRM scheme to remain 100% standards compliant. This is myth that gets repeated on HN surprisingly often.
The issue is that some big name content providers don't want to sell you content unless they can also install things on your computer. This fact remains regardless of the technological implementation details.
The overwhelming majority of content on the web is DRM free. These proposals do not mandate nor give any incentive for that content to be protected if it is not already.
Sure, but we don't have to aid them in their quest
>The overwhelming majority of content on the web is DRM free. These proposals do not mandate nor give any incentive for that content to be protected if it is not already.
The practical effect of being able to deliver DRM'd content to every non-technical web user, without first having to get that user to download and install your proprietary software, is just massive. This is one of the biggest falloff points in the conversion funnel, so it makes this new delivery method highly attractive. As it is now, businesses have to balance the cost of losing customers against the cost of not being able to DRM their content. Take that dilemma away and I think you certainly have a new incentive. The practical effects of this are far reaching imo.
Perhaps there exists a class of people who wanted to implement DRM on all of their content but were just waiting for the W3s blessing but such a class will be extremely small.
Most of the DRM you see comes from mandates from big content firms, most other people could give less of a shit.
Try exercising your fair-use rights on those DRM'd bits for example.
And the businesses (Hollywood) with the content that Web users want have done that math and decided that DRM through plug-ins and native apps is an EXCELLENT system and they're happy to keep mandating it forever. If Plug-ins go away, as they're slowly but surely doing, then native apps will be the only place to get this content.
Hacker News types, myself included, will cringe at this truth, but most consumers don't give a shit about the Web. They care about the content the Web gives them. If the Web cannot give them the content they want, they'll get it elsewhere, probably from silo'd App Stores where things "just work."
I don't cringe at that, it's just the way it is. But I promise you no-install browser delivery of DRM'd content which "just works" is very valuable to those businesses. People grab the thing within arm's reach. Sure, if there isn't anything in arm's reach a decent amount of them will still walk across the room for what they want, but I think that's besides the point.
And in this scenario (i.e., the way things are now), someone like me, who doesn't give a shit about "content" but does care about the Web itself, can still avoid DRM by not installing the plugins, not using the silo'd App Stores, etc. But if my browser is the silo'd plugin/App Store, I'm SOL. That is why all this matters: it makes DRM and all of the closed source nastiness that goes with it the default, instead of something people have to choose. I think that's a very, very bad idea.
EME is not strictly DRM in your browser: it's a standardised interface to allow your browser to talk to DRM modules.
> get it elsewhere, probably from silo'd App Stores where
> things "just work."
That's entirely reasonable. Silo'd 'app stores' are where things like DRM belong, not the World Wide Web.
But more importantly the idea of HTML5 was to get rid of proprietary closed source plugins like Flash. Adding DRM to HTML5 will make it rely on proprietary closed source plugins.
I hope the W3C reconsiders. If somebody feels the need for DRM then they should implement their own stuff outside of the open web.
If anything this is worse than proprietary plugins because those used documented APIs that any browser could support, whereas this is integrated into the web browser itself.
DRM's purpose is similar, but one of the endpoints is in the physical control of an untrusted entity: you. Since the point of DRM is to prevent the user at one of the endpoints from accessing the data, if you have the source and keys to the destination endpoint (e.g. TPM, HDCP-enabled GPU), the endpoint can't be trusted, you can get the data, and the DRM fails at its purpose.
This scheme basically just creates a special class of plugins; these plugins clearly won't be OS-agnostic, because they can't -- that's the whole point of the exercise: to restrict playback to devices that are fully authorised/controlled from top to bottom, with the browser piping streams from the web to trusted plugins running on trusted OSes using trusted hardware (TPM etc).
If I want to watch netflix or play GTA5 on my haiku box I'm SOL as it is unless there is a business case to be made for doing the port.
This actually makes things easier. For example netflix currently uses silverlight for their streaming, this means that in order to watch netflix you need something that supports the entire silverlight stack.
With this proposal all you need is modern browser and a compatible CDM which is a much smaller chunk of code.
Technically speaking it's almost the same as the status quo, but a little bit of DRM principles have now been enshrined in the foundations of our web. Depending on what your view of DRM is, of course, this is good news or bad news; but from a technical point of view, it changes very, very little.
That's exactly the point, the case is NOT so with HTML and JavaScript. A webapp I write in HTML and JavaScript is OS agnostic!
In fact it's not clear that anyone can use a standardized, open API for decryption modules and meet content providers' security demands. While some of them were historically willing to use Flash which did use standard browser APIs, they've taken this as an opportunity to demand more.
It looks like the idea is to implement a system where encrypted content is passed to the browser. The key is then sent through the browser to the CDM, the CDM can take the content and hand back decrypted frames.
It's entirely possible for content vendors to support multiple CDMs for different browser or OS combinations. The advantage of this is that the CDM is a smaller dependency than something like silverlight, so you can have a standard HTML5 video player interface across platforms and just swap out CDMs.
The only way it will work is if the restrictions module handles everything from decryption, decoding, to rendering. Probably even using a hardware DRM scheme and preventing any interaction of the video data with the JavaScript or any other website elements.
So the CDM isn't necessarily seperate from the browser itself - that's left totally as an implementation decision, and at least one widespread implementation (IE11) is integrating the CDM tightly into the browser. Also, even if the CDM is seperate it can render frames directly to the screen without passing through the browser. In particular, note that:
"Where media rendering is not performed by the UA, for example in the case of a hardware protected media pipeline, then the full set of HTML rendering capabilities, for example CSS Transforms, may not be available. One likely restriction is that video media may be constrained to appear only in rectangular regions with sides parallel to the edges of the window and with normal orientation."
So basically, just like with existing plugins, encrypted content is an opaque rectangle plonked on top of the web page that's not part of the browser's normal rendering pathway.
Makers of Flash and Silverlight were a 3rd party in the DRM battle. They had to worry about their plugins' marketshare and could not implement too user-hostile DRM. They had to balance pleasing media corporations and users.
Now there won't be anything stopping MPAA's CEOs wet dreams running in your OS's kernel. Media corps have Netflix and Google (Play Store) in their pockets and can force them to ship all kinds of nastiness — under W3C's brand name.
But they're just voices in a large game: Microsoft and Google are co-editors with Netflix of the new DRM spec.
Edit: How can it be DRM if the algorithms/formats/protocols are open? Or aren't they open?
They're not. IIRC, the only open parts are the hooks the actual DRM plugin (but we're not calling it a plugin!) will utilize.
I really think allowing this to happen in the first place is just like opening the Pandora box. You give these guys an inch, they never stop demanding for more censorship.
Building a browser that ignores EME would be functionally equivalent to building a browser that can't use Flash.
Seriously though, everyone should go just read the spec. Or at the least, take a looksee at this: https://dvcs.w3.org/hg/html-media/raw-file/tip/encrypted-med...
Which is why you have TPM and the various Microsoft/Apple/Google DRM schemes: Hollywood wants to lock down the full stack, and they're getting there one piece at the time.
For TPM, their enabler was Microsoft and their desire to lock down the boot process to enforce licensing. For this spec, it's Google and Netflix because they think it's the only way their media services will survive in the long run.
Insert here smart quote about expert frog-boiling.
There are issues to come when consumers only have access to encumbered media, but at the moment, they pretty clearly benefit from the access.
Speaking of access, make sure you have the SonyⓇ RootKit™ Updater installed.
You: Sure!
Me: No way!
Edit: The interface between the DRM servers and your backend code isn't standardized either, so content providers still have to do a bunch of DRM-scheme-specific development work. Basically, they standardized just enough to allow sites with DRM to claim they're 100% HTML5, it barely improves interoperability at all.
But the moment the MPAA muscles their way into the debate, suddenly we're all about DRM.
If you want DRM, you use a plug-in or a separate application. There's no reason that an app like Netflix or whatever can't use pure-HTML for everything but the video-stream and use a plug-in based object for the stream.
Keep HTML free.
That's exactly what this standard would allow.
Which means that your ad vendors actually about HTML5 support. They just do not know it yet.
In the end what browser vendors do matters the most, not what w3c thinks. Just look at the history of WHATWG.
If you ask me, the only reason DRM has worked up to now, is because code/file formats/protocols were secret. People didn't have access to the source. But now they do, in the open source browsers.
But PLEASE enlighten me. I wants to know.
Imagine a browser refuse playback video or audio clip based on Cinavia DRM plugin, and also a website requiring such plugin -- via the DRM API -- to provide any content.
So I just make a media player that ignores the watermark, based on the open source code I found in the browser... DRM hacked.
That is actually their plan.
2. An issue closer to home can be seen http://wiki.xbmc.org/?title=Raspberry_Pi/FAQ#Video_and_audio... .
3. Companies target audiences and not platforms. For example, Netflix on Linux.
[0] http://www.engadget.com/2010/09/14/hdcp-master-key-supposedl... [1] Key: http://pastebin.com/kCA3dFDv
As far as I can tell DRM has only ever punished, and still only punishes, legitimate users.
Ten years from now (I know it will happen by then; probably sooner), if I grab my Apple smartphone and press "record video" and point it at a piece of DRM-protected content playing on my computer, it will not record. Will not record. There will just be a black spot in your recording. The recording audio will cut out as well, if an audio watermark is detected.
It's an ANALOG hole. Film cameras will always be able to record your screen. Cassette recorders will work fine. But your digital equipment? No.
http://en.wikipedia.org/wiki/EURion_constellation
For example, 12 years ago W3C attempting to push "RAND" patent licensing into HTML:
http://lists.w3.org/Archives/Public/www-patentpolicy-comment...
This was 100% against the concept of a free, open web, and it took a huge effort to stop it happening. It's crazy that it even got that far.
So it's no surprise that they're pushing industry interests again today. I lost all confidence in that group safeguarding HTML a long time ago, and it looks like the they haven't changed.
We'll make a new W3C. One that can't be bought so easily.
It would be great if anyone opposed to this would contact an organization on this list, ask them why they're endorsing and funding DRM and the end of the free Web, and if not, when they will be resigning from the W3C.
Every name you can get stricken from the list is up to around $70,000 per year defunded from what is now most effective driver of DRM in the world. [1] Getting some public statements from the membership would be educational, if nothing else.
[1] http://www.w3.org/Consortium/fees?countryCode=US&quarter=10-...
'By contrast, W3C has now put its weight behind a restrictive future: let's call it "DRM-HTML".'
Right now we have Flash and Silverlight everywhere and it's a PITA. How open are those two? This adds the option of moving this stuff out of plugins. If you want to live in some everything-is-free utopia, just never visit netflix.com.
You don't complain when you can't decrypt PGP, even though PGP implementations are open source. This is the same thing.
I can still do this with closed source DRM blobs, but it will take much longer. And there will probably be pointless anti-debugger tricks, system wide hooks that break countless other software, kernel drivers that BSoD your system..
That is precisely why this proposal is such a terrible idea. It writes into a standard that it is okay to produce software that is actively hostile to its user, while having absolutely no security gain whatsoever (because the concept is fundamentally broken: if the data is being decrypted on my system, I will get it).
Why should we care? The web is not supposed to restrict users. If Universal does not like it, they can go somewhere else -- they have the cable TV system with all its restrictions and anti-freedom design.
I assume you mean that the browser shouldn't restrict users? Like, if I stream a movie from Netflix, I should be able to also save it locally so I can take parts of it to use in my fair use arts project? Sorry. Never going to happen. Forcing this use case that _people want_ off into plugins isn't going to make anything more "free".
That's like selling a Roku box that can only play Ted and Youtube videos and saying that it's better because it's totally free, and open, and doesn't restrict its users. Well, sure, that is the best kind of correct. But only because you yanked everything that wasn't free. You didn't actually add any value over the standard Roku box that plays Netflix and Amazon.
This is obtuse. The HTTP and HTML specs provide standards for interoperation. Some modes of operation are forbidden for some users, and the specification provides a way for that to be communicated. It sounds like you're taking a whole-system approach to freedom, which is certainly valid (see the AGPL for a "free" response). But it's orthogonal to the issue at hand, which is interoperability. Any client can still implement the specification.
That said, I'm completely at a loss as to how you believe SSL "restricts users".
> I assume you mean that the browser shouldn't restrict users? Like, if I stream a movie from Netflix, I should be able to also save it locally so I can take parts of it to use in my fair use arts project?
The browser should implement an interoperable standard. That standard should be accessible to everyone. Any browser vendor should be able to, once they have properly implemented the specification, stream a movie from Netflix (this is the very thing that EME makes impossible).
> Sorry. Never going to happen. Forcing this use case that _people want_ off into plugins isn't going to make anything more "free".
This does not have to be reality, no matter what vendors say. There's a reason digital restriction management was forced out of the music space: it's ineffective, it's consumer-hostile, and it hinders innovation. Many of us are mad precisely because the vendors played hardball in their negotiations, and the W3C wimped out. Vendors need the web more than the web needs the vendors, but the W3C didn't take an equally hard line back and we're left with a decision that screws everyone but media companies.
> That's like selling a Roku box that can only play Ted and Youtube videos and saying that it's better because it's totally free, and open, and doesn't restrict its users. Well, sure, that is the best kind of correct. But only because you yanked everything that wasn't free. You didn't actually add any value over the standard Roku box that plays Netflix and Amazon.
The problem is, this decision hinders innovation. It is now much harder for a Roku competitor to exist, because before they can get off the ground they have to comply with byzantine demands of old media companies. "totally free, and open, and doesn't restrict its users" is the future of communication and computing (at least technically, politically is a different story). This decision is mired in the past.
Let's circle back to this:
> Forcing this use case that _people want_ off into plugins isn't going to make anything more "free".
This is exactly what EME does. The digital restriction management "extensions" are plugins. They are binary blobs, tied to specific hardware implementations. This regresses the web back to the "best viewed on Windows in IE 2.3" days, where interoperation is dead and cross-platform compatibility is a hippy dream.
And that's why people are mad at the W3C for no longer representing what the web is supposed to be.
Simply put, the movie/television is much more diverse than the music industry and won't see its lunch eaten.
The biggest hurdle in getting DRM content in the contract games that are being played with all the major providers right now (remember the TWC/CBS dispute). In these contracts are clauses for all content to be DRM'd. Even if everyone understood that DRM is bad UX, no one gives a shit about fighting those clauses when TWC is removing CBS over contract disputes. It just currently doesn't make sense to risk hundreds of millions of dollars for a moral issue that 99% of users simply don't care about.
They should be. Because I'm going to continue getting my DRM free video from the Pirate Bay until they do. They might have a chance at revenue if they'd just get over themselves. Dinosaurs.
It won't stop piracy, even if it means holding a camera up to the screen to capture the data.
However locking down the browser itself is simply ridiculous. it reminds me of snopes.com disabling right click.
What a bizarre discussion. Should have been laughed out from the first proposal.
And yet it wasn't. Can certainly make you wonder about the health of the W3C as a whole.
OTOH, with a little help from the OS to guard the path through to the HDMI spigot (which is probably already in place) I may be able to see all my Amazon Instant Prime content via my browser in HD. :-)
There's an upside to the downside. Some things will be closed by this and some things will be opened. The impact on the non-pirating media consumer will mostly be positive.
The impact on the cable companies and other parasitic channels through which content must now pass will, to our benefit, be negative since content producers will need them for nothing to maximize the returns on their investment. Many hands that dip into the revenue stream between the producer and the consumer to merely protect the stream can be easily eliminated. The same is true of all the various music channels from the labels through iTunes to Spotify.
I like this because artists and producers will be able to negotiate with us directly which will lower the cost and the motivation to pirate. I'm all for artists and producers making money on their work, but not all the various middle men this can remove from the picture.
I'm very concerned, however, about the possibly negative effect on things other than media content like the general flow of news and information. Any item of information can now easily carry a price for internet access independent of the channels through which it moves.
Verdict: mixed bag.
Time to fork HTML5.
You can still get the entire page, it comes in over the wire. If they do this, I would assume we can just capture the raw data, and new apps that decode that raw data and give the same tools as the browser developer tools offer.
If not, hopefully there are browsers who refuse to implement, and hopefully it takes less time than it took Adobe to learn their lesson.
That's money and time they will not spend doing something useful for their interests.
Everything we've spent the last 20 years building and standardising. Now ruined. Tainted.
They have now lost all legitimacy among anyone who calls themselves a proponent of the open web. We need a new leadership as the old one can't be trusted. We need an open web action group to start over.
Thanks for fragmenting the web, W3C. Thanks for nothing, assholes.
The W3C was always a pay-for-play organization led by corporate interests. The full time staff of the W3C were MIT academics trying to foster conversation so that the openness of the web could be preserved among the reality that most funding for browsers was between competitors looking to make a buck. It took enormous pressure and nearly a decade (1994-2004) to foster web standards to the competent mediocrity they are today.
The WHATWG only solidified the corporate interests, by making browser makers The Only Ones Who Matter: Google (who also funds Mozilla), Microsoft, and Apple.
You can claim you want new leadership, but who has the credibility and legitimacy you claim has been lost? Students? Government workers? All competent engineers are working for for-profit companies (or are funded by them) that want to monetize your eyeballs. You could look to academia and government-funding, I suppose, like the original web. But the web is here, now. It's likely not going to be replaced.
Starting over is a loser's game.