
Reconciling Mozilla’s Mission and the W3C EME - fabrice_d
http://andreasgal.com/2014/05/14/eme/
======
josteink
This is terrible news from end to end.

To solve it, we need to tackle the root problem and not blame the browsers:
those who want to infect our open web with DRM.

Cancel your Netflix subscription. Let them know why. Same with Hulu. Same with
amazon video. same with anyone who tells you to that your open web is less
important than their unwillingness to embrace the new, digital frontier.

Don't give money to the asshats who push this crap. Simple as that.

This is only the beginning if you let them in. What will you accept next? Drm
infected Images? HTML infected source which can only be decoded on windows?
This is not the end. The line must be drawn and it must be drawn now.

~~~
jedberg
Canceling your streaming service subscriptions won't be sufficient, even if
everyone did it.

You have to stop consuming Hollywood content. Stop going to movies. Stop
watching TV shows. Stop listening to recorded music.

Then you might actually make a difference.

The streaming services are just stuck in the middle here -- Hollywood won't
sell them, or anyone, content without DRM.

DRM actually makes sense for a streaming service, where you only have a
temporary license to the content anyway. You're buying the right to watch or
listen one time -- how is that supposed to be enforced?

~~~
shmerl
As discussed below, DRM never makes sense since it's not effective anyway.

~~~
jedberg
You live in a very sheltered bubble if you think DRM is not effective.

For most people, DRM is enough to stop them. It's only a select few people
with a deep understanding of technology who can defeat even the most basic
DRM.

~~~
shmerl
_> For most people, DRM is enough to stop them. It's only a select few people
with a deep understanding of technology who can defeat even the most basic
DRM._

I don't think you get the point. Most pirates never try to beat any DRM. They
pirate what other capable few provide to them DRM free. Yes, some initially
break that DRM. But it takes one knowledgeable pirate to do it in order for
the rest to get it DRM free ever since. So, going back to the point above -
DRM is not effective for anything except degrading the product for legitimate
users.

------
abcd_f
It is naive to expect that decrypted media stream will ever be leaving CDM
module as so optimistically shown on that illustration.

Microsoft dropped and neglected a bunch of great features when shipping Vista,
but it went out of its way to drag Protected Media Path into it. PMP is
fronting a major industry effort to create trusted software _and hardware_
framework that on one end accepts encrypted stream and on other draws video
pixels on the screen, all the while showing a middle finger instead of raw
data to the user on whose system this whole circus unfolds.

It will be _laughable_ to think that CDM won't be PMP-based. Getting access to
the raw data with CDM in picture is a pipe dream. Mozilla, sandbox, open
source - no matter. CDM _exists_ to prevent raw data leaks.

[http://en.wikipedia.org/wiki/Protected_Media_Path](http://en.wikipedia.org/wiki/Protected_Media_Path)

~~~
wmf
_It will be laughable to think that CDM won 't be PMP-based._

Even on Linux and OS X?

~~~
ds9
Edit: It's said to be a downloadable extra at user option.

The Moz page description of the sandbox says the CDM won't have any system
access, so it could not distinguish whether PMP is there or not, except maybe
by flags in the input from the browser. So either the Mozilla sandbox-CDM
can't work as described or PMP won't be required.

Someone correct me if I've missed something there.

~~~
zanny
So were about to see Iceweasel fork a bit more from base firefox and add a
button to render the "encrypted" content to file?

10/10 media industry, you guys are just the absolute best about sticking your
fingers in your ears and singing lalala while substituting reality with your
own where electrical charge isn't replicable.

------
mindcrime
_and in the near future this should allow us to retire plugins altogether._

I don't see this as a universally "Good Thing".

 _The Web has evolved to a comprehensive and performant technology platform
and no longer depends on native code extensions through plugins._

You mean the Web has evolved into a Doctor Frankenstein's monster like hodge-
podge of kluged together hacks, layered on top of layers of other hacks,
layered on top of still more hacks, in order to make a Web Browser a poor
man's operating system.

So if we can extend our operating systems by installing programs, why
shouldn't we be able to extend our poor man's operating system by installing
plugins?

I'm assuming this is referring to killing of NPAPI and not other "extensions"
mechanisms, but it seems (from what I've heard here and there) that people are
mostly proposing to replace NPAPI with "nothing" or with less powerful APIs
that would limit plugins significantly.

~~~
JoshTriplett
Replacing unsandboxed plugin APIs like NPAPI that can directly access the OS
with sandboxed plugin systems like NaCl and emscripten that support sandboxed
native code seems like a major improvement. The browser is quite enough attack
surface area; let's not expand it further by having plugins.

That said, while the article's described sandboxing approach to EME works
better than the alternatives (assuming content providers will support it),
that's a lot like saying "at least the arrow through your eye wasn't on fire".
Gee, thanks.

~~~
AnthonyMouse
> Replacing unsandboxed plugin APIs like NPAPI that can directly access the OS
> with sandboxed plugin systems like NaCl and emscripten that support
> sandboxed native code seems like a major improvement.

Until you want to write a plugin with a legitimate reason to directly access
the OS.

~~~
JoshTriplett
Legitimate reasons to directly access the OS are typically "there isn't a
browser API for this yet". We have multiple Open Source browsers now; submit a
patch to one or more of them to add a new API, and ideally start working to
standardize it. The result will be far better and more secure than a one-off
custom plugin to pass through specific OS functionality.

~~~
AnthonyMouse
If Firefox had an API that allowed you to do anything the OS allows you to do
then there would be no sandbox. If it doesn't then there are things you can't
do with the browser API that you could do with direct access to the OS.

~~~
nawitus
But the goal is not to do everything that native applications do, but instead
provide features to users. Here's an example: lets imagine it's 2005. You have
a native application that stores 1 GiB of data to the disk for caching of
media assets. Now you would like to reimplement that as a browser app, but
there's no browser API for disk access. What's the solution? You could provide
a browser API for direct arbitrary disk access, but that's clearly not secure
enough. Instead, File API was created with a lot of restrictions compared to
the api that the operating system has.

If you think it this way, you can go extremely far in replacing native
applications. I guess the core problem is that OS APIs were not designed to
execute unsafe code, but browser APIs are.

Ultimately, there's no application-level feature that couldn't be implemented
with a well-designed browser API.

In addition, I like it that browsers are creating new APIs relatively slowly.
The reason is simple: security is difficult, and there's time to actually
think about security issues.

------
belorn
Nothing prevents mozilla if they would want to add a warning box similar to
self-signed certificates every time a website tries to access DRM code outside
the users control.

It would serve the goal of objecting to the EME, while users can continue to
access all content they want. It would also put the responsibility to the
website if the black box called DRM causes problems, locks up, or cause havoc
on the user. Third, it allows users who do not want DRM to hijack their
machine to explicit express their approval before such code is executed.

~~~
cben
This is exactly the situation today with Flash. Click-to-play is akin to a
warning. Users are somewhat aware Flash causes problems, locks up etc.

------
davexunit
>We have come to the point where Mozilla not implementing the W3C EME
specification means that Firefox users have to switch to other browsers to
watch content restricted by DRM.

Then so be it. If Mozilla's mission is to improve and defend the "open" web,
then EME should never have been considered for implementation. They shouldn't
sacrifice their goals for the sake of market share.

~~~
joncrocks
Think about winning the battle vs. winning the war.

Mozilla could draw a line here, and no further, and not implement EME. But the
consequence might be that FF market share drop significantly, as "Mah
netflicks don't werk."

Suddenly Mozilla lose a large amount of revenue, development is scaled back,
and the relevance of FF is reduced. Eventually FF is marginalised and Mozilla
no longer involved in discussions about the future of the web. I think
everyone would be disappointed if that happened.

The issue here is that the W3C is trying to push a round peg into a square
hole. Laws passed by governments are in opposition to reality, and the only
way to solve the problem at hand is security by obscurity and 'trusted'
devices.

While it's noble of Mozilla to resist change of this type, it's fighting an
uphill battle against legal precedents and legislation that is trickling down
into technology. I don't think it's a battle that winnable until changes are
made to IP frameworks the world over.

~~~
angersock
_But the consequence might be that FF market share drop significantly, as "Mah
netflicks don't werk."_

Then maybe those users deserve the loss of their freedoms.

------
uptown
"...Firefox users are at risk of not being able to access DRM restricted
content (e.g. Netflix, Amazon Video, Hulu), which can make up more than 30% of
the downstream traffic in North America."

While this statement is factually accurate, using the file-size of a type of
content as a measure of relevance should be of little relevance to the
discussion.

------
shmerl
Netflix is considered the main driver behind this DRM madness. In the context
of Netflix, an often voiced reason for DRM is the fact that it rents movies,
rather than sells them. Besides DRM being completely ineffective to prevent
piracy, the concept of rentals itself doesn't make any sense for digital
goods.

The core logic behind a rental (for physical goods) is reusability. Physical
goods have a fixed cost of production per copy, so the price of selling it
should cover that cost. Renting is expected to be cheaper than buying, because
the object is returned to the renter which allows reusing it for new clients
without expenses on another physical copy. I.e. most of the price in the
rental case goes for the service of using it, and not for covering the cost of
production.

With digital goods this whole premise doesn't apply. There is practically zero
cost of producing another copy, so reusability is implicitly achieved with
practically no expense by copying bits. And it also means there is no need to
return the merchandise so it could be reused by others, since the merchant
easily duplicates the merchandise practically for free. Therefore why would
renting cost any different than buying? The whole concept of renting is
illogical for digital goods. Therefore user can buy the digital merchandise
for a (lower) price as paralleled by physical renting, while still retaining
the ownership.

Netflix proponents claim, that they are charged per month to access anything,
so in such context renting makes sense. But it still doesn't. They are charged
for the _service_ to stream the data. I.e. for convenience. It's cheap not
because they need to return the merchandise so others could reuse it (as
above). It's just cheap as is. There is completely no need to prevent users
from retaining a copy once they watched it (i.e. which means buying). In order
to it put in practical perspective, Netflix can be achieved without any DRM by
selling each copy for some small price or / and charging a monthly fee for a
convenience of streaming that data from the cloud while users could also keep
those downloaded DRM-free copies all they want. I'd totally subscribe to such
service. But I'd never subscribe to Netflix the way it is now because of DRM.

~~~
eridius
Claiming that rentals don't make sense in the digital age is focusing far too
heavily on the technical fact of how digital data works, and completely
ignoring the legality of things, including intellectual property.

If I make a movie and sell you a DVD, the terms of the sale prohibit you from,
say, showing this movie in a theater to a bunch of strangers and charging them
money. Yes, you own the physical DVD, but you don't own the _intellectual
property_ of the movie itself. This holds true for physical copies, and it
holds true for digital distribution as well. You are purchasing the right to
personal use of the movie (i.e. viewing), and that's it.

If you want to e.g. show it in a theater (whether or not you're charging
admission), you have to purchase that right separately. And that costs a lot
more.

In the case of rentals, the company that is doing the rentals pays for the
privilege of renting out the movie, and the cost they pay is predicated on
concurrent access to the movie being limited.

When it comes to digital rentals, limiting concurrent access to the digital
movie file doesn't make sense. Users who rent things digitally expect there to
be no wait. But in turn, they're only given access for a _limited time_. For
iTunes, that's 30 days since you paid for the rental, and then only 24 hours
since you started actually watching it. You can't rent a movie on iTunes and
watch it every day for a month, because you don't have that legal right. You
must pay for that privilege, which is to say, you must buy the digital movie.

For Netflix, the limited access to the movie is gated by you having an active
Netflix subscription. The moment you stop paying for Netflix, you no longer
have access to the movie. This again makes perfect sense, since you're paying
Netflix for the right to access all of their streaming movies for the duration
of your active membership. You are not paying for completely unrestricted
access.

Unfortunately, due to the nature of digital content, the only way to actually
enforce these legal restrictions is by use of DRM. It sucks, but it's a fact
of life. This is true for rentals, and it's generally true for purchases as
well.

~~~
shmerl
_> yes, you own the physical DVD, but you don't own the intellectual property
of the movie itself. This holds true for physical copies, and it holds true
for digital distribution as well._

This is really irrelevant. When you buy a book you also own the book, and not
the intellectual property it contains. Same thing with files - you can own the
file, but not the intellectual property it represents. So legally nothing is
wrong with buying digital goods (files), while the intellectual property they
hold is only licensed to you (and not sold). I don't see how it correlates
with any necessity for DRM.

 _> But in turn, they're only given access for a limited time_

I don't see a need for it. Limited time of rental is justified for physical
goods. For digital it's not (I explained above why).

 _> his again makes perfect sense, since you're paying Netflix for the right
to access all of their streaming movies for the duration of your active
membership. You are not paying for completely unrestricted access._

I understand Netflix terms, what I question is their sensibility. You say it
_makes perfect sense_. I don't see any sense in limiting access. Netflix can
charge the same thing for unlimited access, plus allowing making backups and
still make the profit (it can add a charge per file if they worry that users
would just download the whole catalog at once).

 _> Unfortunately, due to the nature of digital content, the only way to
actually enforce these legal restrictions is by use of DRM._

No, DRM can't enforce it (since this stuff is pirated practically
instantaneously). So why is it used?

~~~
wamatt
_" No, DRM can't enforce it (since this stuff is pirated practically
instantaneously). So why is it used?"_

Strongly suspect this is due to contractual obligations with the studios.

The agreements will almost certainly stipulate that content must be
sufficiently protected. Hence Netflix plays ball, if it wants access.

~~~
shmerl
My question "why" was not pointed at Netflix. It was pointed at publishers
(studios, etc.) which demand that DRM. They have no valid answer for that
question.

While Netfilx aren't an ideological champion for DRM, they are a huge
proliferator of it. Compare it to distributors which sell only DRM-free
content and actually attempt to influence publishers to sell through them
(like GOG for games). Those are actually doing something good! Netflix just
help to spread the sickness claiming that "they have no choice". But that's a
poor excuse.

~~~
wmf
It's a form of price discrimination. If you want to watch a movie once
("rental") it costs $5 but it you want to watch it unlimited times it costs
$20. As a customer, I appreciate this because it allows me to pay less when I
want less.

~~~
shmerl
Why discriminate? Let's say users watch N movies per month on average. They
can set average purchase price per movie at $20 / N, not at $5. That's it.
They can combine the two to make it more even. Charge X per month for the
convenience of streaming and Y per movie for the purchase (and aim to arrive
at the same $20 / month roughly). All that doesn't require any DRM.

~~~
nitrogen
Because money. If 20 users are willing to pay $20, and 80 are willing to pay
$5, Hollywood can make $20 _20+$5_ 80=$800 instead of $5*100=$500.

~~~
shmerl
It's not $20 per film. Not sure what you are calculating.

~~~
nitrogen
It's an example. The exact price can be used in the same formula. Read
[https://en.wikipedia.org/wiki/Price_discrimination](https://en.wikipedia.org/wiki/Price_discrimination)

~~~
shmerl
I find such price discrimination to be a despicable practice, unless we are
talking about differentiating prices because of different average level of
income in those markets. And even so, regional discrimination becomes even
less relevant in the digital space. The fact that such practice leads to
resorting to unethical methods in the digital world (DRM) implicitly proves
the point that it's crooked.

Related subject discussed on GOG:
[http://gog.com/news/getting_back_to_our_roots](http://gog.com/news/getting_back_to_our_roots)

~~~
nitrogen
I agree, but they have every financial reason to keep doing it. How would you
convince them to sell one product for one price to everyone for less total
money?

~~~
shmerl
Usually such crookedness can be avoided if competition is high enough. I.e if
competitors can be profitable without ripping customers off, they could do
that in order to attract customers to their option. Seeing that they are
losing customers, those who resorted to price discrimination start thinking
about restraining their greed. Unfortunately when completion is weak, or all
participants agree on using this crooked practice to keep the prices high
(which should be illegal really), they get away with it.

------
ivanca

        <audio drm="true">
        <img drm="true">
        <article drm="true">
    

As soon as you let them put a foot on your house is absurd to believe that the
rest will not follow.

------
nawitus
>preventing users from saving the content

How can an open source software prevent users from saving the content? If the
CDM decrypts to plaintext, it should be trivial to modify the open source
sandbox to save the plaintext data. (Obviously the software can prevent saving
the content by default).

~~~
chimeracoder
According to Mozilla's official statement[0], it will not be open-source (it
will be an open-source wrapper around the closed-source binary)

There is still the question of the analog hole[1], but that's a separate
matter (unrelated to open source vs. proprietary binary blob).

[0] [https://blog.mozilla.org/blog/2014/05/14/drm-and-the-
challen...](https://blog.mozilla.org/blog/2014/05/14/drm-and-the-challenge-of-
serving-users/)

[1]
[https://en.wikipedia.org/wiki/Analog_hole](https://en.wikipedia.org/wiki/Analog_hole)

~~~
AnthonyMouse
Nobody really uses the analog hole. It's actually easier to do it digitally,
and will remain so, because securing a device against arbitrarily many
attackers with physical access and arbitrarily large amounts of time and
resources is a practical impossibility. The analog hole is just the formal
proof that DRM can never be effective, because if you can see it or hear it
you can record it.

~~~
mike_hearn
Actually Cinavia is an interesting example of trying to close the analog hole.
You can point a camcorder at your screen and record a movie, but if you try
and play that recording back on a fancy TV or BluRay player, it still won't
work because the audio track has encoded instructions in it saying "expect an
encrypted/DRMd media stream". If the player sees the content expects to be
DRMd, it silences the audio after about 20 minutes.

~~~
darkmighty
That's quite interesting! Does it rely on steganography? Because as far as I
know, it's quite difficult to keep the integrity of stego contents if the
system is public knowledge (e.g. a low pass filter may destroy high frequency
watermaking). The sheer amount of degrees of freedom in a minute of 30fps 4k
video though makes it seem not so hard to accomplish a steep ( video quality x
decoding probability ) tradeoff for attackers.

Of course, then there's the software integrity problem -- I can't imagine a
feasible system that prevents bypassing the software verification completely.
Or, for hardware checks, I can't see a regulation enforcing "All TVs _must_
have this enabled" (i.e. you just buy from an open brand).

This would be more interesting though for authenticated video streaming.
Imagine every user is required to reveal a real identity to retrieve content.
Then they can not only watermark the content but point to the exact user
responsible, as long as the content has enough degrees of freedom to support
it. Makes file sharing a lot harder if you can be held responsible after an
indefinite period.

~~~
mike_hearn
It watermarks into the audio track and is by all accounts incredibly
sophisticated and robust. Pirates have been trying to destroy the watermarks
for years and all they achieved is making the soundtrack unlistenable.

For bypassing the software verification, it can be made quite hard although
it's kind of irrelevant today because it only became mandatory (via BluRay
Consortium "regulations") in 2012. So there are still lots of players around
that don't do it and this will be the case for the forseeable future. Verance
is doing a big push to get it into TVs and other things but I'm not sure how
successful they are being. The technology works without a doubt but of course
when you add up licensing costs, etc, it's not always necessarily a win.

------
oscargrouch
All the system is rot from the bottom up.. The Honcho's (tm) are putting their
dirty hands and corrupting all over .. even the things we take for granted as
community driven and serving for a greater good

Dont use Netflix, Dont support DRM, fight for DRM free software..

We took millions of years to make copy and cloning of any information free(as
in freedom and in beer) and now some bastards want to turn this into a crime
just because they want to profit?

Its just the beggining of something really bad that can corrupt all of the
good things we take for granted now, as free education, knowledge sharing and
the free flow of information

------
cwyers
I understand Mozilla's philosophical objections to the EME, but if the
alternative is Flash/Silverlight (and it's pretty clear that is, in fact, the
alternative), I don't think Mozilla's mission loses out by implementing the
EME.

~~~
stormbrew
Flash works on the three major desktop/laptop OS', ChromeOS, all the consoles
afaik, and Android. EME will probably result in balkanized DRM that will never
work on a bunch of those things (or you'll have to worry about whether the
content you want to watch supports your platform).

EME is a _step down_ from Flash for consumer choice. A big fat one.

~~~
tedmielczarek
Flash DRM has never worked on Linux, AFAIK.

~~~
hsivonen
See "Linux" in [https://www.adobe.com/products/adobe-access/tech-
specs.html](https://www.adobe.com/products/adobe-access/tech-specs.html) .

The problem is that copyright holders can still stipulate policies that
exclude Linux. For example, [http://voddler.com/en/](http://voddler.com/en/)
greets Linux users with "Here you can rent and play movies. For even more
movies and TV-series, visit us from your PC or Mac, where we have a even
larger selection."

------
natch
>we vary this unique identifier per site (each site is presented a different
device identifier) to make it more difficult to track users across sites

What a load of horseshit. They know perfectly well that different identifiers
can be tied to the same user with other shared identifiers like advertising
tracking identifiers, and yet they pretend they're somehow solving the
problem.

Worse, the focus on privacy, while fine, misses the point. Users WANT to be
able to download and save content for later consumption. Enabling the
prevention of that is not a user friendly act. Sure, content owners have to
cope with content sharing and piracy. But maybe that's for the best. Really
great content owners like O'Reilly Publishing are providing non-DRMed content
today and doing just fine. Create more value than you capture.

Something is rotten at Mozilla. They should be fighting this tooth and nail,
but they're going the way of the money. And giving Adobe more credibility in
the process... ugh, talk about adding insult to injury. This will mark the
demise of Mozilla as a respectable organization.

------
fiatmoney
It's very important that users be able to disable ALL of this functionality
with a simple compiler flag. Not just disabling it in the process.

We've seen the failure of "sandboxing" over and over again, and especially
with a closed-source, certain-to-be-compromised payload, it's guaranteed that
at some point it will be breached.

~~~
ibotty
did you read the blog post? you have to actively consent in installing that
plugin to use it. without plugin the sandbox is code without attack surface.

~~~
fiatmoney
It's unclear to me from the post that the sandbox code will be unbundled from
Firefox. Furthermore, it should be possible to distribute a compiled version
of Firefox that doesn't have the ability to install the module in the first
place, with a minimum of effort.

If you don't enable it by default, but the first time a user visits any
website with a video ad they get a clickthrough that downloads and installs
it, a huge portion of the user base will end up with it installed. This is
less than desirable if you care about security.

I'm sure security- or ideological-focused distros will do a version of this
anyway, but it should be supported upstream to segment the code as much as
possible so as few vulnerabilities leak into the "main" codebase as possible.

~~~
Dylan16807
I don't understand your argument. If you are installing firefox for yourself,
you don't need a version with the support compiled out; just don't install the
plugin.

If you are installing firefox as sysadmin for someone else, you don't need a
version with the support compiled out; don't give the users rights to install
plugins.

What use case has less security just from the sandbox being enabled?

------
wmf
I saw an interesting comment from gerv @ Mozilla: "Current plan: CDM can
scrape memory to check sandbox is a sandbox it trusts."
[http://lwn.net/Articles/598640/](http://lwn.net/Articles/598640/)

------
pirate_arrgh
You know, I've long avoided the Pirate Bay for movies and other copyrighted
media, and I pay monthly for month Netflix and Amazon Prime.

However, if Netflix is going to push shit like this and PMP in our faces, then
I think I'm going to have to take a look at this Popcorn Time app.
Particularly with PMP, it's getting to the point where it's hard for "media-
compliant" Linux users to run our open source OS and legally access media at
the same time.

------
makomk
I'd be interested to see if any content providers actually make use of this;
it seems to be missing certain technical requirements they claimed their
partners required during the EME design phase. (In particular, a secure
hardware video path and robust node-locking support. This design doesn't
appear to actually be able to lock content playback to particular hardware at
all if anyone makes even the most trivial attempt to bypass it.)

~~~
wmf
The history of SDMI vs. iTunes and AACS vs. Windows XP has taught me that DRM
"requirements" are just the opening position in a negotiation. Apparently
Mozilla doesn't have enough leverage to get rid of DRM completely but they
have enough to water it down a bit.

~~~
makomk
Possibly, but they've already managed to get the W3C and several of the other
big browser vendors to agree to meet those requirements, which gives them some
pretty strong leverage.

------
josephlord
So the open source wrapper can receive unencrypted audio/video frames. Does
that mean it does the video decoding too or does it get the compressed stream
back?

Either way it doesn't sound like a very strong protection of the content as
you can access it with at most a single generation compression loss.

Is it me or are the content providers and the DRM providers realising the
limits of DRM and loosening their requirements?

~~~
higherpurpose
No, it just means they were ignorant enough about the technology to allow
Mozilla to do it this way - _for now_. Also, Mozilla gets to say now that
"look, we're implementing DRM, but _it 's not so bad_".

However, once the content owners see how useless this method is (they all are,
but this in particular), they will demand heavily proprietary closed source
down to the metal software to protect their content. And since Mozilla has
"already" kind of agreed to do this, they'll have no choice but to implement
that _much worse_ version of DRM.

------
Cyclone_
Wonder what Brendan Eich would have thought of this.

~~~
icebraining
Wonder no more: [https://brendaneich.com/2013/10/the-bridge-of-khazad-
drm/](https://brendaneich.com/2013/10/the-bridge-of-khazad-drm/)

He said essentially the same thing; _" We are working to get Mozilla and all
our users on the right side of this proposed API. We are not just going to say
that users cannot have access to streaming Hollywood movies, as that is a good
way to lose market share and not have any product with which to uphold our
mission."_

------
jgon
This is a sad day for the web, but it was honestly one that was inevitable,
and one that we all had a hand in making. If you want to know why we have DRM
in the web, step 1 is taking a look in the mirror. Mozilla does not represent
a majority market share of browser users, and so their voice in the W3C can be
over-ruled by the voices of the other stakeholders, among them 3 enormous
corporations with substantial media interests.

What follows is harsh, but I believe it to be true. Feel free to tell me that
I am wrong, because I fully admit that I could be letting my emotions speak
and I could be wrong.

Back in the day the web was ruled by a monopoly and it sucked. Mozilla
released firefox but the web only broke free of microsoft's control because
people like us did the work to break that control. I started using firefox,
and I helped get most of my family members onto it. And many of my tech savvy
friends did the same. Slowly but surely Mozilla's market share grew until it
reached the point where Microsoft had to react and start to implement web
standards, because if they didn't people weren't going to wait for them. They
were going to switch to Firefox. And for a brief time we had the promise of a
global network for the distribution of information not controlled by a single
large corporation, but worked on by a committee which had a large part of its
membership come from a public benefit corporation, whose only interest was
empowering people to use that network to enhance their lives.

The web exploded, and fearful of being left behind large corporations got into
the game with their own browsers. And rather than learn from what happened
last time we let a large corporation get majority user share, we, and by "we"
I mean you and I and all of the other people who should know better, went
right for it.

Google released a cute cartoon describing the inception of chrome, beginning
with hiring away people from Mozilla, talking about all of the great things
their browser would provide. Microsoft started up development of IE again, and
Apple released Safari. A lot of us looked at Firefox and said "Thanks for
helping to save the web as we know it, but Chrome is _so_ much more minimal!
Safari as a great _look and feel_! See ya later". Richard Stallman gets a lot
of flack around here for his eccentricity when it comes to computing, but
goddammit the man can see past his own nose and understands that taking a dump
on the only body advocating for you and I in favor of switching to something
on such trivial concerns as "look and feel" is a great way to end up right
where we are today. Where Mozilla has been marginalized so much by the
relentless rush to Chrome that Google can go ahead and implement a DRM scheme
on its proprietary OS and then force that through the Web Standards body with
the help of Apple and Microsoft. When Mozilla doesn't have enough market share
to stop it, because we've all switched over the Chrome based on Octane
benchmark scores, and switched over our parents and friends. Where I routinely
run into "desktop" sites that are straight up broken in Firefox and fine in
Chrome because people can't bother with anything other than webkit prefixes,
and where the mobile web is an even bigger disaster of Chrome/Safari specific
junk.

So a few years from now, as you continue to bask in the glow google's super
minimal interface and safari's incredible smoothness, as Chrome sends your
browsing data back to Google and DRM starts to leak into other areas of the
web (want to save that image? Sorry! Want to copy this text? Protected! Don't
even think about looking at the source) cast a thought to Mozilla, probably
still working away to do the best it can for you. Then ask yourself if selling
out the web was worth it for the handful of beads you got from all the
interests that wanted to close it down and lock it up, and if all the
smoothness and look and feel in the world was worth it for the promise of what
the web might have been had we not let it slip through our hands.

------
iandanforth
Why is this even an issue? Sure it's offensive. But it's offensive like
someone flipping you off, not like them breaking your leg. I am aware of zero
freed-media channels that begin with web content. Music, movies, TV shows; all
of the content that isn't available through corporate means is available
online from people who don't copy the bits off of their browsers.

This DRM is trying to plug a hole that isn't leaking.

------
lucb1e
Why not make is a configuration option whether to enable the DRM in Firefox?
People who only want to see non-DRM content (much like people running
GNU/Linux with "libre" software only) can simply disable the DRM, and the
users that are not actually tech savvy won't have to resort to, say,
_shudders_ MSIE.

~~~
chimeracoder
I'm wondering this as well - why can it not be implemented (from the browser
perspective) as a plugin that is downloaded upon first use?

Isn't this what Iceweasel on Debian will have to do anyway, since Debian
cannot ship non-free software in their main repositories?

~~~
mbrubeck
Yes, it will be a plugin that is downloaded on first use. That's exactly what
the blog post describes.

------
yuumei
So this DRM is going to use the hardware TPM on cpus I would imagine. This
would make it very difficult to break. Well done everyone that supported UEFI!

------
higherpurpose
So - what other good truly open source browser is out there?

~~~
Ygg2
Firefox.

Chromium is a mess, Opera is Chromium, WebKit will support this no doubt.

~~~
bzbarsky
Given that Apple is one of the major DRM vendors, it's a pretty good bet that
Safari will support EME. WebKit proper, it's unclear.

------
pekk
Mozilla can't hold the line on DRM. but Mozilla has no trouble holding the
line on the Javascript monopoly.

~~~
kipple
Scuse my ignorance, which JS monopoly? What is Mozilla doing?

I love mdn for my js reference needs, something to do with that?

~~~
icebraining
I believe pekk's talking about not supporting any other client-side languages
besides JavaScript (e.g. Dart, PNaCl, etc).

~~~
kipple
I was under the impression this is true of all browsers, don't all client-side
languages like Dart or TypeScript compile to JS before they can be run?

~~~
icebraining
No, Chrome has supported PNaCl natively since version 31. And they already
have a fork of Chromium with a native Dart VM.

------
wfjackson
The writing was on the wall a while ago once Google implemented this into
Chrome(Netflix on Chromebooks was the first real world use of this IIRC).
Firefox no longer has the market power it once used to have thanks to Chrome
being bundled and installed by default with Flash, Acrobat and Java updates
etc. Google has been spending massively on pushing Chrome even bundled as
default on new machines with OEM agreements to reduce payments to Mozilla in
the long term and it's working since the past few years.

Pluginless HTML5 support for H.264 followed a similar path, in which Google
promised to remove support from Chrome in favor of WebM(which FF and Opera
added support for) but never did, in the meantime Firefox and Opera relied on
the promise and then were forced to start implementing support once they
realized Google was not going to keep the promise and it was hurting them and
then included support(I don't think Opera ever did?).

Three of the four major browsers, Chrome, IE, Safari are owned by huge
corporate interests and Mozilla is pretty much powerless since users blame FF
if it doesn't support something, so I expect more of such things to happen in
the future. It's pretty much game over at this point and I fear this is only
the tip of the coming iceberg with all these companies having huge media deals
for Play Store, XBox Music/Video and iTunes.

~~~
atopal

      > in the meantime Firefox and Opera relied on the promise
      > and then were forced to start implementing support once
      > they realized Google was not going to keep the promise
      > and it was hurting them and then included support(I don't
      > think Opera ever did?).
    

Not only that, Mozilla partnered with CISCO to make h264 usage free for all.
Now, people can modify and redistribute Firefox and still retain the ability
to play h264. Something that Google gave a shit about when they included h264
in Chrome, but not in Chromium.

If you are using Chrome, don't fool yourself, you are not using an open source
browser, but you are helping Google further the agenda of its stakeholders,
and they made it clear what their priorties are when they took the first step
by implementing this on Chromebooks.

~~~
EdwardDiego
> If you are using Chrome, don't fool yourself, you are not using an open
> source browser, but you are helping Google further the agenda of its
> stakeholders

As an example, Chrome won't ship an adblocker by default... but they _will_
add code to prevent popunders from working.

Guess which ad format Google doesn't do...

------
13throwaway
Well then, how is Midori doing these days?

