
On Encrypted Media Extensions (EME) in HTML5 - mmoya
https://www.w3.org/blog/2017/02/on-eme-in-html5/
======
hackuser
> could W3C make a stand and just because DRM is a bad thing for users, could
> just refuse to work on DRM and push back wherever they could on it? Well,
> that would again not have any effect, because the W3C is not a court or an
> enforcement agency.

It has an effect because the W3C has authority and influence, even though it
doesn't have power, and by supporting DRM it communicates that it likes non-
open technology. It undermines very many people who have advocated for open
technology; if even the W3C says it's not important, then why would anyone
listen to me?

(I realize that the W3C may not be saying exactly that, but those subtleties
are lost in public communication.)

As an extreme example (because it comes to mind), Martin Luther King had no
real power; he held no office. But he did have influence and authority. If he
said that civil rights weren't important after all, then it would undermine
many people who sacrificed a lot to advocate for that cause. If MLK said civil
rights weren't important, why would anyone believe a protestor who said
otherwise?

~~~
DannyBee
"It has an effect because the W3C has authority and influence,"

No, it doesn't. In fact, for years the browser vendors told them to piss off
and went with the whatwg :)

"As an extreme example (because it comes to mind), Martin Luther King had no
real power; "

Martin Luther King had a church that followed him, and they were the people
who started protesting with him. The W3C doesn't really have a church. Or at
least, not one that is useful. If they protested it would be drowned out quite
the same as 35 people marching somewhere in Alabama would be today.
Additionally, MLK had people who believed in his cause. A very large number of
people, who were enough to cause disruption. He just was able to motivate
them.

That seems ... unlikely with the W3C.

So while you are right that if they had such power and influence, maybe they
could attract people to the cause. But the likelihood of success is low, and
they definitely aren't in the same situation as MLK.

~~~
azakai
No, I don't think you can deny the W3C has influence. You point out examples
of that influence not being absolute - which of course it isn't. It still has
important influence nonetheless.

~~~
DannyBee
Actually, i feel like I can. I feel like browser vendors were perfectly happy
ignoring literally everything the W3C said for years.

So exactly whom does it have influence to?

------
azakai
> If W3C did not recommend EME then the browser vendors would just make it
> outside W3C.

Yes, Google and Microsoft - the browser vendors that created EME - would have
done so anyhow, with or without the W3C. But that is no excuse for the W3C. If
it would happen anyhow and so "doesn't matter", then why support it? Rejecting
it would at minimum have had a strong symbolic meaning.

> Do we worry that having put movies on the web, then content providers will
> want to switch also to use it for other media such as music and books? For
> music, I don’t think so, because we have seen industry move consciously from
> a DRM-based model to an unencrypted model, where often the buyer’s email
> address may be put in a watermark, but there is no DRM.

And the same might have happened for movies, if we stopped Google, Microsoft,
and Netflix from creating and promoting EME. The music industry didn't just
"happen" to move away from DRM, it was a necessary response.

> The web has to be universal

EME has not and will not solve this. I cannot use a minority browser to view
EME content, not unless the browser has an arrangement with the DRM vendor.
That completely destroys universality.

~~~
type0
> That completely destroys universality.

You're right. Also this is terrible for both the creators and the consumers
since it promotes anticompetitive behavior by giant distributors. Here is a
great interview with Doctorow on why DRM is a terrible idea, he uses
publishing as an example but the idea applies to other creative branches -
[https://youtu.be/ZXu-_LBrf24?t=1800](https://youtu.be/ZXu-_LBrf24?t=1800)

------
the8472
The whole thing reads like a rationalization for behavior which they know is
bad.

Like making paddles for corporal punishment of children. There are many
manufacturers, we can't stop it, at least our standardized paddles don't have
spikes. We wanted to add a clause that forbids lasting damage to be inflicted
with our paddles, but the parents-for-paddling organization objected, we're
sad it didn't make it in, but it's still in everyone's best interest!

------
ryanobjc
These arguments are weak, and unconvincing.

One particular stood out. That EME would protect user's privacy somehow. But
that sandboxing, as his primary illustration of HOW that might occur, is NOT
part of the standard.

So, the standard does not protect the user directly. His assumption is that
browser manufacturers will do so via robust sandboxing against the EME blob.
(and for now, they probably will)

His core argument rotates on a few points, essentially boiling down to "its
better for the user to have EME than not", so having this central argument for
this make sense is important.

And it doesn't make sense. EME doesn't directly protect the user's privacy. It
perhaps allows, via unspecified methods, a browser to do things. Maybe.

Given these rationalizations, I wonder what his REAL reason for pushing EME?
Fear of being left out of the conversation and wanting to be "friendly" to
content interests is my top suggestion.

We will see where this goes, but I don't envy the massive hit to his
reputation he's taking here.

------
franciscop
He seems to forget that _the world is not the US_ , an important notion when
considering the future of the internet. I think a good analogy would be
medicines; the US has their own rules but then each country has different
rules. India for instance can copy any medicine they see fit to save lives
because health is more important _for them_ than money.

You might argue that entertainment is not the same as health; but don't forget
that one big part of DRM is in education, which _is_ a big deal. If we make
EME easy to use all Copyright abusers can and will - if history repeats - use
it. Things like Sci-Hub exist for this very reason. Arguing in favor of
denying education to an important fraction of the _poorer_ world for the
economic gain of few US companies is something that I think is worth fighting
against.

We are at a point where even Copyright abusers should start working online or
become irrelevant so many are migrating; let's not give them the tools to keep
abusing their users.

~~~
favorited
> He seems to forget that the world is not the US

I doubt that very much, as he is English...

~~~
franciscop
Probably I should have stated 1st world countries

------
om2
Let's say the W3C had the power to stop EME from existing, and not just to
refuse to give its implied blessing.

Would the result be no DRM on "premium" video? I doubt it. The de fact
approach before EME existed was to use plugins on desktop and a native app on
mobile. If there was no EME, that's what we would still have (and indeed the
transition is not over).

There are certainly problems with DRM. But the W3C's primary mission is to
bring the web to its fullest potential. If fighting DRM meant ceding ground
from the open web platform to plugins and native apps, then that doesn't seem
like a good way to benefit the web.

~~~
azakai
Perhaps, it could go either way, but it _did_ work out with music. It could
have worked with movies too.

~~~
om2
Music has a different history and context. The music publishers started to use
DRM-free music as a competitive wedge between sellers of digital music, mostly
as a wedge against Apple. Then Apple decided to also go DRM-free.

Unfortunately music is backsliding because more of the market is moving to
DRM-ful streaming services where you rent your music, instead of DRM-less
music that you own free and clear.

~~~
azakai
Additional factors were Napster and the rise of file-sharing services.

While I agree the history and context is different, I don't see a fundamental
difference between the two.

------
stinkytaco
I truly don't know what to feel about this. On one hand I think this is bad
for the future of content and users and even the web. On the other, I feel
that Google, Apple and MS would proceed regardless of the spec, meaning that
"the web" becomes a content delivery platform much like cable TV was,
controlled by a small, wealthy few. Either than or users migrate to where the
content is and leave the web behind.

This at least standardizes the process. Perhaps that's a bit like
standardizing the roads we drive on: it gets people around and enables
commerce, but the long term trade-off might be too much.

~~~
BinaryIdiot
This echos my original feelings. But if I understand correctly if you find a
vulnerability in the extension and report it, you can be sued. There is no
protection from users doing anything with EMEs other than letting them run.

I believe that is the case, anyway.

------
AndyMcConachie
There were two choices moving forward.

1) The W3C allows EME to be standardized and we hopefully end up with a
predictable standard.

2) The W3C not allow EME to be standardized and we end up with incompatible,
proprietary and bug ridden DRM implementations.

People who think there was some other option are delduding themselves. The W3C
made the right decision.

~~~
azakai
We still have incompatible and proprietary DRM implementations.

EME only standardizes the interface between them and the browser. The DRM
itself is completely unspecified here - that's the problem.

~~~
AndyMcConachie
Still better than nothing.

------
DecoPerson
What about smaller businesses?

Startup and local enterprises have far less choices than the giants like
Netflix, Google, Apple and cable companies.

\- HW box: insane venture for a small businesses

\- Desktop app: Good luck with adoption! Unless you're Apple and have a way to
force your iTunes-equivalent down your users' throats. Also, lots of work
specific to desktop apps.

\- Mobile app: Again, good luck with adoption. You'll need a way to show the
content on larger screens. Also, lots of work specific to each mobile
platform.

\- Blu-Ray: let's assume not an option

\- Browser app: Less adoption friction as it will work on any device with a
modern browser (including Smart TVs and game consoles). Lots of work, but can
be used for every platform (including native apps by using web views).

Browser apps are clearly the best choice for smaller businesses, except for
one problem: no DRM.

Content producers/middlemen see non-DRM content as a piracy risk (a
questionable decision) and therefore write requirements for a certain level of
"content protection" into their licensing agreements. Smaller businesses have
less bargaining power and it is unlikely they could negotiate out such a
clause (or convince the middleman of the stupidity of DRM and how it rarely
actually prevents piracy).

EME will enable smaller distribution businesses, increasing competition and
giving consumers more choice.

~~~
vetinari
> Smaller businesses have less bargaining power and it is unlikely they could
> negotiate out such a clause (or convince the middleman of the stupidity of
> DRM and how it rarely actually prevents piracy).

> EME will enable smaller distribution businesses, increasing competition and
> giving consumers more choice.

Illusion of choice. Because the small businesses have smaller bargaining
power, they will do whatever their partners will demand them to do. That does
not mean that there would be wider choice of content; quite contrary. There
would be only more distributors without any power to offer better service. The
content producers/middlemen would use them as a tool to protect their
position, making sure no other ITMS happens.

------
Daiz
_> Some people have protested “no”, but in fact I decided the actual logical
answer is “yes’._

As long as anti-circumvention laws are a thing, the real answer should be
nothing but a very enthusiastic "no". I don't see how anything covered by
anti-circumvention laws could in any way be compatible with the idea or spirit
of what is supposed to be Open Web.

 _> The reason for recommending EME is that by doing so, we lead the industry
who developed it in the first place to form a simple, easy to use way of
putting encrypted content online, so that there will be interoperability
between browsers. This makes it easier for web developers and also for users._

This is also a whole bunch of horse manure considering that the actual DRM
part is externalized to proprietary black box extensions so in reality HTML
DRM doesn't really do much to improve interopability. A browser vendor needs
to basically bundle a black box extension with their browser to handle the
DRM, and the DRM needs to approved by vendors like Netflix etc in order for
you to actually view DRM'd content on their site. Basically this just
entrenches the dominance of existing browsers over the market while making it
even harder than before for anyone new to try to tackle the market since now
you need to basically please Hollywood if you want to be able to play their
content in your browser, all with the blessing of W3C.

Sure, these DRM solutions already exist and will continue to exist, and it
doesn't help that two of the three big browser vendors are also DRM vendors
themselves (Google & Microsoft), but the last thing we should do is give them
official blessing for their practices. It's a huge spit in the face of the
Open Web.

EDIT: Some more comments.

 _> If EME did not exist, vendors could just create new Javascript based
versions._

This would be an infinitely more preferable solution to EME, because guess
what - this would actually guarantee true interoperability! As long as your
browser could run (modern) JS, it would be compatible with a JS-based content
protection scheme. Things on eg. Linux would Just Work without having to use
rely on Widewine DRM on a closed build of Chrome, for example. So presenting
EME vs JS-based protection schemes as equivalent is ridiculous. The latter is
vastly less bad than the former.

 _> And without using the web at all, it is so easy to invite ones viewers to
switching to view the content on a proprietary app. And if the closed
platforms prohibited DRM in apps, then the large content providers would
simply distribute their own set-top boxes and game consoles as the only way to
watch their stuff._

If content distributors wanted to try and ignore the web completely in the
name of "protecting their content"... by all means, go ahead! Somehow I
suspect they wouldn't resort to that, though - they wouldn't be so interested
in HTML DRM if they didn't see the web as a valuable venue. Most likely they'd
end up restricting web versions to lower quality options while trying to lure
people to more closed enviroments with promises of higher quality, but the
thing is that they're already doing exactly that anyway even with all the
black box DRM they have today so it really wouldn't be all that different from
that.

 _> An important issue here is how much the publisher gets to learn about the
user._

This whole list is also ridiculous considering that proprietary black boxes
are a way bigger unknown in terms of what they could be doing on the user
system than any say, JS-based solution. And the "user tracking" the DRM
supposedly couldn't do could be done separately in JS anyway, whether the
whole content protection is based on JS or not, so this list is once again
basically just a poorly thought distraction.

 _> Spread to other media_

This section is way too short and basically handwaves the issue away. "Music
probably won't go back to DRM and books, lol dunno, maybe they'd give up DRM
even when we're explicitly endorsing DRM for the web?" Endorsing any kind of
DRM in HTML standards has a very real danger of being a slippery slope. Hey,
now we can black box DRM <video>. When can we do it to <audio>? Music and
audio in general needs protection too! Hey, we got it for <audio>, now where's
our DRM support for <img>? Images need to be protected too, they're
copyrighted content after all! And what about text? Books and articles need
protection too! <p> needs DRM! And suddenly the DOM in your developer tool is
just a bunch of black boxes, and the Open Web is no more. In fact, developer
tools in general should probably be banned, someone might use them for anti-
circumvention purposes after all, and that would be illegal! The Right to
Read[1] is _uncomfortably_ real with the possibilities here.

 _> Despite these issues, users continue to buy DRM-protected content._

Well gee, it's not like legitimate users have much options in many cases.
Video especially tends to be DRM-infested pretty much everywhere you go. In
many cases piracy is literally your only option when it comes to getting
content DRM-free, which is a crying shame. This is once again no reason
whatsoever why we should just be okay with it and endorse DRM for what is
supposed to be Open Web.

 _> The web has to be universal, to function at all. It has to be capable of
holding crazy ideas of the moment, but also the well polished ideas of the
century. It must be able to handle any language and culture. It must be able
to include information of all types, and media of many genres. Included in
that universality is that it must be able to support free stuff and for-pay
stuff, as they are all part of this world. This means that it is good for the
web to be able to include movies_

Well, I completely agree with that...

 _> and so for that, it is better for HTML5 to have EME than to not have it._

...but this does not follow In fact, it goes pretty much directly against it.

[1] [https://www.gnu.org/philosophy/right-to-
read.html](https://www.gnu.org/philosophy/right-to-read.html)

------
raleighm
The latest episode of Reply All (podcast) is about W3C and EME:
[https://gimletmedia.com/episode/90-matt-lieber-goes-to-
dinne...](https://gimletmedia.com/episode/90-matt-lieber-goes-to-dinner/)

------
AtticusRex
The Free Software Foundation published a response to this thing already:
[https://www.defectivebydesign.org/blog/response_tim_bernersl...](https://www.defectivebydesign.org/blog/response_tim_bernerslees_defeatist_post_about_drm_web_standards)

------
frik
It's pretty clear when you look up the companies that sponsors/is on board at
W3C.

