
DRM/EME in HTML5 - an American thing - Tsiolkovsky
https://ameliaandersdotter.eu/2013/10/13/drmeme-html5-american-thing
======
asadotzler
I find it amusing that everyone is acting like there's no DRM today and this
is somehow an attempt at bringing DRM to the Open Web. DRM is already a
required and de facto standard for the Open Web -- it's just hiding inside of
NPAPI and ActiveX. It's there and it's even worse than DRM because there are
no DRM plug-ins that don't bring massive runtimes with them that are the
number one cause of security problems on the Web.

(If you do not have Flash or Silverlight today, you are not going to be able
to watch restricted content. Pretty much everyone has one or both installed
and will happily install it if it's not already on their system.)

Killing NPAPI and ActiveX, which is how DRM integrates with browsers today,
and replacing it with a much smaller and considerably safer API is progress at
_shrinking_ the proprietary surface of today's real Web.

This is two steps forward and one step back, folks. This is positive
evolution.

~~~
wmf
Flash is cross-browser and cross-OS, but I suspect CDMs won't be. Netflix
apparently doesn't mind "solving" the resulting fragmentation by encrypting
everything N times, but users of other sites may not be so lucky.

~~~
jmillikin
Flash is only cross-browser and cross-OS for {IE,Firefox,Chrome} on
{Windows,MacOS}. It barely works on Linux, doesn't work at all on iOS or
modern Android, and is in general a huge barrier to adoption for free
software. Not to mention its rich history of security vulnerabilities. The
only reason Flash hasn't been completely abandoned yet is because it's
currently the only widely-supported option for DRM.

Anyone who has worked extensively with legacy software can tell you that the
procedure for removing a deeply hated but heavily used piece of code is:

1\. Wrap the entire mess in a giant API.

2\. Reduce that giant API over time by rewriting bits of the mess in clean new
code.

3\. Eventually you will have a few remnants that can't be rewritten, safely
contained behind a minimal API like rotten food in a garbage bag.

4\. Wait until the market forces requiring (3) are obsolete, which may take
years.

5\. Throw away the bag.

(1) is NPAPI and ActiveX. (2) is <audio>, <video>, <canvas>. (3) is EME, the
trash bag that will let us isolate DRM from the rest of the browser. Don't
fight against it on the basis of hating garbage. Everyone hates garbage, it's
just that we're more interested in watching House Of Cards than in throwing it
out right now.

~~~
gsnedders
Flash at least is a known quantity — it is possible to license to port to
one's own platform (assuming one can reach agreement with Adobe on licensing
terms), as was done for the Nintendo Wii (the port being done by Opera
Software). Will the EME plugins (and EME doesn't even have a defined API,
unlike NPAPI and PPAPI — so will likely be browser-specific even when they are
available) be able to be ported by third parties?

An argument such as that can quite probably be made to build a business case
against EME for a lot of device manufacturers shipping embedded browsers.

------
oscargrouch
Wow! That make us wonder how Sweden(and Germany?) are advanced and
sophisticated in technological policies over the rest of us; They got people
from the pirate-party elected to the congress already? look at the all the
issues they are discussing, and the high-level of the discussions..

Meanwhile, our governments or are in bed with the corporations or are
unprepared to deal with their lobby in a way that dont hurt people,
innovation, fair competition and democracy..

She has an X ray vision to this complicated issue and make someone who
understand all the danger that come from this evil game of monopoly, feel more
safe to have a good and prepared parliament to defend the interests of the
people the way she is doing..

I think that is an example of what our democracies need to breath a new,
revigorating air, and get stronger again with the faith and trust of the
people

~~~
rmc
_Meanwhile, our governments or are in bed with the corporations or are
unprepared to deal with their lobby in a way that dont hurt people,
innovation, fair competition and democracy.._

If you think politics in Europe (at the local, national and european level)
doesn't have political corruption, I've got a bridge I can sell you.

~~~
oscargrouch
ha! ok.. That's definitely spread all over the world, unfortunately we are not
free from the spooks yet.. but what i meant is that they are a step further..
and think that countries with stronger industries and big lobby groups will
have a hard time to elect and create real politics that can benefit the
interests of the population in the digital rights ground..

So its not that they are not suffering from the same diseases of the
democracies all over the world.. its the observation that by electing this
class of representatives, prepared for the XXI century and the digital age,
they are more prepared against those evil and corrosive effects on governments
imposed by a industry formed in the XX century and with a hard time to adapt
to new times

------
RyanZAG
I find the funniest part of all of this DRM browser talk is that the people
most in favor of this kind of standardized DRM are pirates. It's fairly easy
to see why when you look at the obvious point that any DRM running client side
can be cracked. By standardizing it into the browser, you only need to crack a
single thing - the browser DRM module - and then you will have free and
unrestricted access to all of the DRM content with no additional work.

It's the same way PS2 piracy was so rampant. You only needed to install a
simple mod chip into your PS2, and since all of the DRM relied on that, you
could now run every game with no additional work. It created something of a
golden age for gaming piracy and the PS2 actually remains popular today in
certain regions because of it.

So standardizing DRM into the browser is a huge boon for pirates, and a
problem waiting to happen for everyone else. The stupidity is sometimes mind-
blowing.

~~~
devx
The hardware and the OS will hold the DRM, as far as I understand. That means
that if say pirates break the DRM on Windows, Microsoft can patch it by next
Tuesday.

That being said DRM by default in browsers (through EME) is probably the end
of the "open web" \- or at the very least the end of a "clean open web",
meaning that everything will need to be hacked and cracked to make it work.
Want to copy text or an image from a website? You'll have to find the crack
for that website. Not to mention that doing that will be soon declared illegal
(if it's not already from the moment DRM is applied to something).

~~~
w0rd-driven
This. I don't get why so many comments gloss over the fact that this isn't
just about Netflix types of content, but something as simple as "view source"
becomes banned outright. Its a step above when sites restrict right clicks
because damn that image/whatever is off the hizzy and needs "protection"

Minification and obfuscation have often been enough so far but the slope we're
sliding down is pretty steep and if TBL wants us at the bottom a lot of people
are just going to follow suit. As someone who's finally embracing that
development is increasingly being pushed to the web over native devices, I'm
likely to be looking for yet another career shift (first from IT to software
dev) before its all said and done. I do not look forward to debugging DRM when
I already loathe minified JavaScript. Tooling is already abysmally slow in
spite of Chrome's excellent dev tools (unmatched by any other browser or
plugin IMO).

While I do understand the concept of protecting IP, this measure is inherently
flawed right out of the gate. I'd honestly rather keep archaic Flash and not-
so-archaic Silverlight around because at least their tooling is decent. I
can't wait another 10+ years for this to catch up because everyone is
foolishly starting from 0, not building on their successes (however much or
little you define).

~~~
takluyver
Comments 'gloss over it' because that's not what this fight is about. EME does
not allow disabling 'view source' (unless I've completely misunderstood it).
It's a step down the DRM road, but assuming that taking one step that way
means we'll inevitably go the rest of the way seems hyperbolic.

~~~
w0rd-driven
[https://www.eff.org/deeplinks/2013/10/lowering-your-
standard...](https://www.eff.org/deeplinks/2013/10/lowering-your-standards) is
where I got the 'view source' line. If its hyperbolic, the EFF does a very
good job of pushing it.

I thought another article pointed blocking the command out in the spec but I
could be totally wrong there. Even so, nothing is stopping anyone from
building a dumb front end and placing the entirety of the logic in the DRM
container. Netflix isn't an argument in countries where it doesn't apply, like
much of the world. View source and the actual openness of the web would be
that argument, however. If its a concoction made up by what the EFF believes
this fight would go versus an actual result of the fight as it stands, then I
sadly fell for it pretty hard. Its not a difficult leap to make but I'm
definitely more interested in facts over opinion based on someone's failing
attempt at predicting the future.

~~~
takluyver
I think the EFF is engaging in some FUD themselves on this. There's some other
project exploring ways to protect source code of web applications, and the EFF
suggests that, now that the W3C has touched some form of DRM, that will be
able to push a way for sites to disable 'view source'. I don't think that's
realistic - minification and copyright work well enough to protect JS code
already. I'm disappointed that the EFF is resorting to scare tactics like this
rather than debating the actual issue at hand.

------
jlebrech
I don't understand why they are pushing drm when they could implement a
webbytecode (ie. the v8 ast as a loadable blob) and just do the drm on their
own dime.

~~~
jmillikin
1\. The only way to have even somewhat secure Digital Restrictions Management
is to have some proprietary binary on the local machine which can authenticate
itself to the display device. This requires a level of access permission which
you do _not_ want to provide to the web in general.

2\. If the DRM blob were delivered via the web, then it would be trivially
easy to connect through a proxy that delivered its own ineffective DRM blob.
Content companies would not accept this solution.

3\. The goal of EME is not to increase the number of people who can access
restricted content, it's to provide a replacement for the rapidly collapsing
Flash Player pseudo-standard. The various content companies require their
distributors to use something at least as good as Flash, but YouTube et al
know that Flash probably won't exist in a few years, so the race is on to see
which replacement will dominate the market.

\---

The basic position of EME opponents appears to be that if we refuse to allow
DRM modules in browsers, then the companies pushing DRM will give up and let
us watch unrestricted video. This position, in my opinion, is fantastically
optimistic.

If EME is blocked, then these companies will either start distributing their
own customized locked-down applications ("You must install the Netflix Player
to watch this movie"), or will work privately with the major proprietary
browser platforms (IE, Safari, Android Chrome, ChromeOS) to implement what
they demand. Firefox and Chrom{e,ium} will be left out in the cold, and the
advancement of the open web will se a significant setback.

~~~
azakai
> If EME is blocked, then these companies will either start distributing their
> own customized locked-down applications ("You must install the Netflix
> Player to watch this movie"), or will work privately with the major
> proprietary browser platforms (IE, Safari, Android Chrome, ChromeOS) to
> implement what they demand. Firefox and Chrom{e,ium} will be left out in the
> cold, and the advancement of the open web will se a significant setback.

First thing, Chrome is a proprietary browser platform. Only Chromium should be
in the last sentence. I believe Chrome already ships with EME; I am not sure
if that includes Google's DRM plugin for it as well, but if not then that is
soon to come as well. Chrome already ships with various other proprietary code
(Flash, SwiftShader, a PDF reader, etc.) so this would not be a new thing.

Google and Microsoft have been developing proprietary DRM plugins, with
Netflix and Hollywood, for their browsers. EME is just a generic API to those
plugins. So your comparison of what will happen with vs. without EME appears
flawed: in both cases, only proprietary browsers that include DRM plugins,
which are the result of private collaboration with Netflix and Hollywood, will
be able to access content. And yes, that would leave out open source browsers
like Firefox and Chromium - with or without EME.

I also disagree with the premise underlying

> The basic position of EME opponents appears to be that if we refuse to allow
> DRM modules in browsers, then the companies pushing DRM will give up and let
> us watch unrestricted video. This position, in my opinion, is fantastically
> optimistic.

I agree to the conclusion - that it is highly optimistic to see Hollywood
quickly move to unrestricted video. But you are assuming there is no other
option. There are in fact several:

1\. Watermarking as an alternative to DRM, that achieves similar results.

2\. Non-proprietary DRM solutions, either standardized (which EME does nothing
for, intentionally) or done in web content (HTML5). Those would not be as
secure as proprietary binary blobs (what EME assumes), but could still prevent
99% of casual piracy - and professional piracy isn't stopped even by the
blobs.

3\. Eventual movement to unrestricted video, perhaps after a period of using 1
and/or 2. We saw this in music, it took a while, but sanity prevailed.

~~~
jmillikin

      > First thing, Chrome is a proprietary browser platform.
      > Only Chromium should be in the last sentence. I believe
      > Chrome already ships with EME; I am not sure if that
      > includes Google's DRM plugin for it as well, but if not
      > then that is soon to come as well. Chrome already ships
      > with various other proprietary code (Flash, SwiftShader,
      > a PDF reader, etc.) so this would not be a new thing.
    

I want to distinguish between a browser platform, where the browser is
considered an integral part of the underlying OS, and standalone web browsers.
Chrome and Firefox are regular applications, they do not (yet?) feature the
deep OS integration that would be necessary to implement functional digital
restrictions.

Google's DRM plugin is currently available for both Firefox and Chrome through
the standard Netscape plugin API, but is not bundled with either browser.

    
    
      > in both cases, only proprietary browsers that include
      > DRM plugins, which are the result of private
      > collaboration with Netflix and Hollywood, will be able
      > to access content. And yes, that would leave out open
      > source browsers like Firefox and Chromium - with or
      > without EME.
    

If I'm reading the EME spec correctly, then EME plugins can be installable by
the end user in the same way that Netscape plugins are today. Assuming the
browser chooses to implement the plugin system, both Firefox and Chromium
ought to be able to use DRM plugins from the system.

    
    
      > 2. Non-proprietary DRM solutions, either standardized
      > (which EME does nothing for, intentionally) or done in
      > web content (HTML5). Those would not be as secure as
      > proprietary binary blobs (what EME assumes), but could
      > still prevent 99% of casual piracy - and professional
      > piracy isn't stopped even by the blobs.
    

Any non-proprietary DRM solution would not be able to stop even casual piracy.
The casual pirate will search for [download netflix movie], click the first
link, install a browser extension, and get a one-step piracy button right in
their browser.

That's what content companies are terrified of, and any DRM system that can't
stop this sort of pirate will not be accepted.

    
    
      > 3. Eventual movement to unrestricted video, perhaps
      > after a period of using 1 and/or 2. We saw this in
      > music, it took a while, but sanity prevailed.
    

We have not seen a victory for free formats in music. The majority of music
online is still distributed wrapped in layers of digital restrictions (e.g.
Pandora, Spotify) or in patent-encumbered formats (e.g. iTunes, Google Play,
Amazon).

~~~
makomk
> If I'm reading the EME spec correctly, then EME plugins can be installable
> by the end user in the same way that Netscape plugins are today.

They can be, but neither the browser vendors nor the content providers have to
allow them to be, and the EME spec doesn't standardise any equivalent of NPAPI
that standardises the interface between them and the browser. Browser vendors
can (and it appears will in some cases, e.g. Internet Explorer) only support
EME modules supplied by them and compiled into the browser binary; this is
anticipated by the spec.

------
chris_wot
She makes a good point. Netflix doesn't work at all in Australia. This is very
much an American thing.

