
YouTube Ditches Flash, and It Hardly Matters - sinak
https://www.eff.org/deeplinks/2015/01/new-drm-boss-same-old-boss
======
geofft
One thing to note is that (last I heard) both Chrome and Firefox sandbox EME
modules fairly tightly. Flash is a browser plugin, which means that it usually
injects code into the browser itself, and runs with full privileges on your
computer, just as much as your browser does. This is what makes Flash such
fertile ground for exploits of all kinds, and also makes it bad for your
privacy because it has direct access to your webcam, microphone, clipboard,
supercookies, etc. — anything the browser can do, Flash can do without asking.
If it asks, it's out of the kindness of its heart, not because the browser has
any say.

Chrome and Firefox's sandboxes, meanwhile, are both open-source. You can
inspect what powers the EME module might possibly have, and know that it can't
gain any more. A vulnerability in the code is unlikely to be able to do
anything other than pirate your download of _Game of Thrones_ — and that's
assuming it even has general-purpose network access. Ideally, a vulnerability
would be able to do nothing other than modify the video you see, but the
remote site could achieve that by encoding a modified video in the first
place.

As far as the general moral arguments about DRM go, it's true that the new
boss is the same as the old boss. But the bulk of the EFF's argument against
Flash in this blog post is about security, not about open content, and it's
important to acknowledge that EME is a significant step forward. The new boss
is sitting in a tightly locked cage.

~~~
zobzu
Its more about freedom than security tho. Really if anything, EME is about
security for vendors, not users. Really, not much to do with the fact that
it's sandboxed. Its not like if proprietary, freedom-restricting software was
suddenly ok because there's some kind of a sandbox around it.. as if the only
issue with these was that they're poorly coded and supported.

~~~
AnkhMorporkian
No user is being forced into using this. I haven't really followed this
argument from the beginning. Philosophically I despise DRM, but pragmatically
as long as it isn't forced on users as _the only option_ , then I don't see
any issue with an extension having that option being available.

~~~
FeeTinesAMady
It will be forced on the users, though. If it becomes widespread, the choices
are to support DRM or be locked out of the web.

~~~
AnkhMorporkian
> If it becomes widespread, the choices are to support DRM or be locked out of
> the web.

Or use a free and open source browser that doesn't implement it. If this is
something people want to take a principled stance against, those browsers will
doubtlessly continue to exist.

Unless you're referring the content access. That's a general trend with
technology that likely won't be stopped. If you choose not to use certain
technologies, it's unsurprising that you won't be granted access to certain
things.

------
slang800
And through all this effort to "protect their content", they still haven't
managed to stop people from bypassing the DRM and giving the videos away for
free in torrents.

I have a hard time seeing how implementing DRM provides any value to media
companies, other than a false sense of security.

~~~
quadrangle
The purpose if DRM is _not_ to stop people from illegally copying. The purpose
is to control and manipulate the _legal_ users and limit their freedoms they
would otherwise legally.

Yes, DRM developers lie to us and _claim_ that this is about stopping
infringement. But that's only a pretense. They know that it only impacts non-
infringing users. But they like having more control and power over the non-
infringing users.

See
[http://www.defectivebydesign.org/faq#purpose](http://www.defectivebydesign.org/faq#purpose)

~~~
kmonsen
That is also the purpose of door locks btw, and I am assuming you have one of
those on your door.

~~~
rakoo
Wrong. DRM is a tool of the distributor against the user (remember: when you
have a DVD, you don't own the content; you only have a license to view its
content under certain rules. DRMs make sure you follow these rules).

The lock is a tool of the user against third-parties.

~~~
zanny
The analogous door lock on your computer is your firewall or USB autostart
permissions or an encrypted hard drive.

------
dredmorbius
EFF's view is that we've been sold down the river with EME (Encrypted Media
Extension).

Except ... that I seem to be able to access most online video content
(certainly on YouTube, Vimeo, and other major sites) via youtube-dl.

And hugely prefer to do so. It's much more useful for me to be able to queue,
speed up / slow down, pause, _resize_ and otherwise manipulate video _with
consistent controls_ than to have the limited (and varied) interfaces various
online video / multimedia sites offer.

I've got a video playing as I write this, well, paused, at 133% playback
speed, in a small 250px x 190px window -- when I can give it my focus again
I'll simply mouse over it and tap 'space' to resume playback. If I want to
skip back a few seconds, or a minute, the left or down keyboard arrows do that
for me. As they do for all video I play. I can also normalized audio levels
(many are too low, this one's actually got a tendency to clip), and more.

~~~
belorn
If you are going to use unauthorized methods to gain content, there is many
convenient ways to do so. Most are not effected by DRM.

The issue with DRM on video is one which lawful consumers of content has to
deal with, and those who run programs which is infected by said DRM.

~~~
dredmorbius
Um. Who elected you god and decided youtube-dl is "unauthorized"?

I was actually inquiring as to how such use is impacted by the decision. I've
found few or none. Then again, there's little commercial content I've interest
in regardless.

~~~
dahdum
belorn probably figured the terms exclude it, I was curious and checked -
seems so. Maybe they've authorized your method specifically somewhere though?

[http://www.youtube.com/t/terms](http://www.youtube.com/t/terms) You agree not
to access Content through any technology or means other than the video
playback pages of the Service itself, the Embeddable Player, or other
explicitly authorized means YouTube may designate.

~~~
allendoerfer
Yeah, well, I never confirmed the terms. "By using it, you agree …" is not a
binding contract in Germany.

~~~
raldi
Nobody claimed it was a contract violation, or even illegal, just that it was
not authorized by YouTube's TOS.

~~~
allendoerfer
The first comment actually just said, that it was "unauthorized". By creating
a website and making it available on the WWW, you implicitly authorize the
user to use a browser to access the website. Which form of browser the user
chooses is none of your business. All browsers are therefor always authorized,
if you do not restrict the access yourself.

Of course some basic laws have been added since the birth of the web. You are
not allowed to flood a site with requests and so on. But the principle that
browsers and websites are separate entities still applies.

If you want full control over your users clients, create your own protocol and
your own client. As long as you use open protocols on the web, you implicitly
agree to the contracts of the www and have to live with the fact, that the
user chooses his client.

~~~
belorn
In Sweden, there was a famous case in which this premise was tested. A cable
channel gave out a public accessible web link to customers after payment,
which then got naturally shared. The cable channel sued the person who shared
the link, arguing that it was copyright infringement since it allowed
unauthorized users to access the site (case called Canal Plus-fallet). The
defense argued that since there was no restriction added to the site, that
that meant it was public.

The court went with the side of the cable company, even if many commentates
disagree. What effect a Swedish case can have on German law depend, but using
European court case as guides is quite common in Swedish courts if there is no
other prior cases. Same might apply for German courts.

~~~
allendoerfer
That is unfortunate. I think from a technical point of view, my interpretation
of the "laws of the web" are true. What courts decide is an other story.

It is part of the bigger problem, that courts do not understand every aspect
of our complex society and have to listen to experts, which just defers to
problem to the election of these experts. You do not want to give them the
power either, because they are easier to lobby than justices.

I just hope, that a generation of justices and politician arises, that
understands basic principles the web is built on. Like links, that give the
web its name, and how they work, who can control them and so on.

------
sowhatquestion
I distinctly remember being upset about DRM in the '00s, back when it was
being used to place onerous restrictions on content that people had ostensibly
"bought" (CDs, DVDs, AAC audio files, etc.). Now that it's being used to
prevent people from saving streams... I hate to say this, but please remind me
why I should be upset? I never had any illusion of "owning" a stream. Not only
that, I would rather stream than own in most cases.

~~~
logn
Because it's a lot harder to make a competing web browser now. You'll have to
buy the secret binaries from one of the DRM providers, if they'd even be
willing to sell.

~~~
geofft
Firefox, which is open source, both sandboxes the Adobe decryption
module—giving the browser control over the world that the Adobe module
sees—and fetches it at startup from Adobe's site. It seems almost impossible
that you'd be unable to hit the same URL from your own browser and put it
inside your own sandbox such that the module can't tell it's not running
inside Firefox. You have the hard constraints that the module can't examine
the outside world except through the sandbox, and the sandbox itself is open
source.

Edited to add: Widevine, the (Google-owned) decryption module Chrome uses, has
no license fees. [http://www.widevine.com/](http://www.widevine.com/)

~~~
AnthonyMouse
As an actual example of the problem, there are millions of PowerPC Macs out in
the world that run perfectly adequately with Linux and are capable of playing
HD video. Is the opaque binary blob hardware-independent?

If it is then I can't even imagine what its purpose is supposed to be. If my
"hardware" is a virtual machine that captures the video output to a file then
the blob isn't even _doing_ anything. And if it's not hardware-independent
then there are obviously going to be innumerable minority platforms that it
doesn't support.

~~~
Matumio
I think they have given up to prevent you from capturing the output. The
binary blob does decryption and decoding in one step, which prevents you from
replaying the compressed stream.

~~~
AnthonyMouse
I don't understand how that is even supposed to be useful. The output is still
digital HD video. The higher the quality of the video the fewer compression
artifacts there are going to be and the less having to re-encode once will
make any difference whatsoever. And it would only have to be re-encoded once
regardless of how many times it's played back or copied subsequently. If
they're hoping for some kind of VHS-style degradation of the video quality
they obviously haven't actually tested it.

------
hyperion2010
Somehow this reminds me of my long running rage against all things webapp and
javascript. Companies have started using the browser as a substitute for an OS
because it is easier to distribute working code to multiple platforms on a
browser. So what do the drm people target now? The browser: aka operating
system 2.0. And the thing that is scary is that people don't realize this and
think "oh, its just W3C, its just a single program on my computer, they aren't
really attacking general computation!" Spoilers: browsers act as virtual
machines for probably 90% of all calculations that run on an average pc these
days.

------
t0mas88
Adobe got Flash (once one of their main products) wrong on the security side
so many times that we can't even keep count anymore. Let alone the horribly
bad performance of flash and the hack-slack way they added features. Why on
earth would anyone want to trust this company to build another proprietary
blob of their sub-par code into all browsers? They've proven to be incompetent
in many attempts, let's not give them a 32nd chance.

------
spiralpolitik
To be honest the W3C was between a rock and hard place here as all the other
alternatives on the table were worse than this. If they had dug in we would
have ended up with 2-3 proprietary DRM standards across the browsers or Flash
would have lived on. Both are worse outcomes.

As for "the open web", nothing changes. Content that was DRM free will
continue to be DRM free, content that wasn't DRM free will still remain DRM.
If anything we are slightly better off as one more proprietary has bitten the
dust.

As with a lot of things, the next steps aren't technical. Organizations like
the EFF should be working with content providers to educate them on the
benefits of being DRM free. A much harder task than firing off press releases.

~~~
GhotiFish
> If they had dug in we would have ended up with 2-3 proprietary DRM standards
> across the browsers or Flash would have lived on. Both are worse outcomes.

You're wrong about this. That is an excellent outcome. Large companies want
the universal application that free software enjoys, but with none of the
respect for the users it requires.

I have absolutely no problem with companies having huge problems locking users
in. If we had 2 or 3 proprietary standards to implement DRM that things worse
for users, that's a good thing.

"Why is this so hard to do?" The answer should be: "We refuse to make such
abhorrent behavior easy", rather than: "It's not"

Making it easy for vendors to dick users over is a bad thing.

Making DRM easy to deploy damages the open web in a very bad way.

------
orblivion
I think this article seems to act as though ditching flash just happened to
coincide with adoption of this new EME thing. The issue is that no matter how
much we kick and scream about user freedom, business interests are business
interests. Economics are economics. There just isn't enough user demand for
freedom to overcome the loss to businesses of losing control of their content.
In order to win this, I think we may need to come to terms with this. Perhaps
it means trying even harder to inform the public and increase demand for
freedom, but maybe it means coming up with alternate ways to monetize, or
alternate ways to produce which circumvent the need to monetize.

~~~
copsarebastards
This is a misrepresentation of the problem here. You're restating the
corporate arguments.

> There just isn't enough user demand for freedom to overcome the loss to
> businesses of losing control of their content.

DRM doesn't prevent businesses losing control of their content. _Orange is the
New Black_ has, AFAIK, only ever been distributed through EME, but it's all
over the Pirate Bay, every single episode.

> maybe it means coming up with alternate ways to monetize

We have alternate ways to monetize. The simplest being _doing exactly what
they are doing except not DRM-ing their content_ , which demonstrably has
worked for multiple content distributors. There are others.

DRM isn't about controlling content or monetize that content. It's about
maintaining an outdated business model because business executives don't
understand the internet. Which would be fine, except that it's hurting the
open web.

~~~
mikeryan
_Orange is the New Black has, AFAIK, only ever been distributed through EME_

This isn't even close to true. Netflix has a ton of non browser delivery
mechanisms. It may only have been delivered with drm but that's a different
thing and I don't know enough to know if that's true.

~~~
copsarebastards
> This isn't even close to true. Netflix has a ton of non browser delivery
> mechanisms. It may only have been delivered with drm but that's a different
> thing and I don't know enough to know if that's true.

Maybe that’s a bad example. But I’ll put out this challenge: find me a
reasonably popular TV show that’s supposedly completely covered by DRM, and
I’ll find you a torrent for it. My point is that DRM does nothing to prevent
piracy.

------
ChuckMcM
Interestingingly it seems Youtube is still using Flash in its pre-roll
advertisements unless I'm missing something obvious. Those videos get the 'f'
from flashblock and won't view unless it is enabled.

------
kelnos
It's a little weird that the EFF is using YouTube's move to HTML5 video by
default to attack EME, considering that YT doesn't require EME...

(Yet, anyway.)

~~~
idlewan
It's maybe to point out some of the irony of "Hey, let's accept another
proprietary blob from Adobe" when it's not even needed anymore now.

------
jsnk
I hear what the proponents of non-DRM browsers are saying, but for media
streaming companies content is their bread and butter. I am not sure what the
alternatives are.

Content providers will stick with technologies like Flash because HTML5 alone
could not provide EME. Lack of such feature set HTML5 backwards because huge
content providers would shy away from using web as the dominant platform of
media delivery.

~~~
awalton
> I hear what the proponents of non-DRM browsers are saying, but for media
> streaming companies content is their bread and butter. I am not sure what
> the alternatives are.

And the DRM does absolutely nothing to stop anyone from doing whatever they
want with it. DRM punishes paying customers at the expense of being a slight
pain-in-the-ass for pirates. Plain and simple: they delivered content to my
computer and I have a key to decrypt it - there's nothing stopping me from
doing whatever I want with those bits but the time to break their silly DRM
scheme.

Had Apple, Google, Netflix et al. the backbone enough to stand up to the media
companies, we'd never have been inflicted with such stupidity. Now, Google's
taking it upon themselves to start using their own DRM module with their own
media - so much for the company that prided itself on Do No Evil.

~~~
geofft
How is that punishing a paying customer?

It's a quirk of classical information theory that you can't transmit a piece
of data for a limited period of time. As an approximation, they apply a silly
DRM scheme that takes time to break, and ask customers if they are willing to
pay for time-limited access.

Unlike with DRM on music downloads or (worse) physical copies of software or
games, there's no expectations mismatch here. If you sell a download, the
average buyer expects to be able to copy that download, etc. If you stream a
movie, the average buyer no more expects to be able to retain a copy than the
average movie-ticket holder does. They didn't think they paid for a copy of
those bits for all time.

There's nothing stopping someone who visits a movie theater from doing
whatever they want with those photons, other than the time to build a
sufficiently concealed camera, is there? And pirates do show up to movie
premieres with concealed cameras... but would you argue that the security
guards stopping you from carrying in a giant camcorder are "punishing paying
customers" while not effectively deterring pirates?

~~~
aikah

        How is that punishing a paying customer?
    
    

You must be young, forgetting about formats like WMV or WMA where you couldn't
open the file without the proper license installed on your computer.That's
what DRM is about.And of course you needed to log to a server regularly to
renew the license, or you couldn't listen or watch the media anymore.

Just like games, pirates don't have issues with online license
verification,since they play pirated games that got rid of them.

Obviously vendors did a nice job not only brainwashing the legislator but also
the client.

~~~
geofft
I remember those formats clearly! Online streaming seems like a very different
sort of thing, is my point. When you have a DRM-locked download, you expected
to have an unlocked download. When you have a DRM-locked stream, did you
expect to hold on to the stream in any form?

I think that we are remembering "DRM" from the days of DRM'd downloads, which
was a terrible thing, and applying that memory here where it does not fit.

------
userbinator
AIUI, EME is basically a standard for interfacing DRM plugins, so instead of
the one implementation (Flash) of it that was around before, we might end up
with a wide variety of DRM modules? That certainly doesn't seem like a better
situation than before, where basically all the RE efforts were focused on
Flash's DRM.

~~~
asadotzler
Your assumption here about going from one DRM implementation to many is wildly
off the mark.

There have been _several major_ video DRM solutions in _widespread use_ for
many many years including Adobe's Access (in Flash, and other places)
Microsoft's PlayReady (in Windows, X-box, Silverlight, etc.) and more recently
Google bought WideVine for its DRM offerings and has spent the last 4 or 5
years building that into the Google Chrome and Android platforms.

Pretty much every major video streaming service was/is using a different DRM
implementation. That's nothing new at all.

Your suggestion that somehow there's going to be a shift from one to a lot
more DRM providers thanks to EME is uninformed and unfounded.

~~~
hsivonen
With NPAPI each site picked one plug-in that worked in multiple browsers.
Another site could pick another single plug-in that also worked in multiple
browsers. With EME, each browser supports some DRM(s) and there's no single
DRM supported by all browsers, so sites need to support multiple DRMs to reach
multiple browsers.

------
Jack000
I kind of miss flash. Security issues aside, Actionscript 3 and the graphics
api felt a lot easier to use than js/canvas and was more performant.

It felt like adobe just rolled over once Steve Jobs declared flash dead. They
even bundled mcafee antivirus with the flash download, it's like they just
want it to be over.

~~~
nsgi
Isn't it possible to create HTML5 apps with Flash Pro?

~~~
Jack000
in actionscript? I haven't worked with it for a while but I don't think so.
Even if it was possible I wouldn't want yet another layer of abstraction to
compile to html.

it's not the graphical authoring environment that really matters. I just
prefer the OOP style of AS3 to Javascript.

Open standards are great and all, but the result is that we've had to wait
years just for html to catch up to where flash was.

------
silon5
I notices Firefox sometimes starts busy looping on 2 cores while playing
youtube (usually when "buffering"). IMO, they should really move the decoding
threads into separate processes so they can be restarted easily (just like
Flash was).

------
Tloewald
Why don't the people with this point of view rail against proprietary fonts
the way they do against video codecs? If we took the same approach to fonts
then you'd only be allowed to use open source fonts and everything would look
ugly. Instead we're allowed to deploy copy-protected fonts to render text
nicely and no-one is unhappy.

If the ultimate issue is that people want to be able to steal video content
with impunity, it all makes perfect sense. If the issue is technical or has to
do with software freedom, I'm unconvinced. Not being able to open my old
documents because Word 2025 isn't able to read Word 2004 documents is not the
same thing as not being able to archive videos of _Galavant_ that I don't have
the right to keep.

~~~
GhotiFish
Oddly enough, fonts in particular have extreme benefits to open source models
of development, the influence of actual research can be applied outright, and
open fonts can be deployed rapidly.

I can't imagine a worse battleground to stake your argument on than this one,
other than servers.

------
AnthonyMouse
Why are they calling EME "locks"? It isn't locking anything. It's obfuscation.
The most relevant physical analogy would be smog. They should call it what it
is; digital smog.

~~~
eridius
It is a lock. You open it with a key. Just like a physical lock. And just like
a physical lock, there are ways to force it open without the key. And just
like a physical lock, forcing it open without a physical key is (usually)
illegal.

~~~
_ikke_
Yes, but it's a lock where they have to provide the key too, and the only way
to prevent you from manually opening the lock is obfuscating this process.

------
ck2
The nice thing about youtube is it also encodes most videos in webm format so
it still plays on XP with Firefox and some old phones

Other sites like vimeo only do mp4

------
blakeja
Can I uninstall Flash at this point? What do I really need it for?

~~~
cpeterso
Most Facebook games require Flash.

------
murbard2
Security is what matters here, the DRM can be circumvented anyway.

------
Aoyagi
Well, hopefully using the Flash player remains an option.

------
pkulak
Yes, EFF, we're still not living in a content wonderland where Hollywood
studios send their blockbusters to people's browsers in naked <video> tags.
Shocking, I know.

~~~
joshAg
Look, if they want to make a plugin that understands their DRM scheme or some
standalone app that's basically just a scaled down browser with support for a
<drm_video> tag, they can tilt at that windmill all fucking day for all I
care.

But I still need a <video> tag that works like an <img> tag in that there's at
least I format supported by all major broswer venders that works for that tag,
that lets me easily save the video for offline viewing, and is completely
unencumbered by patents or licensing issues, so anyone else can make a browser
supporting it. If that means I have to use a tag called
<supercalifragilisticexpialidocious> instead of <video>, I don't really care.
I need that functionality. The web needs that functionality.

~~~
asadotzler
You have that functionality thanks to the <video> tag and H.264 and AAC in
MP4. That seems to meet all of your requirements. Am I missing the problem?
EME and DRM are not required to make that work in Firefox, IE, and Chrome.

~~~
joshAg
H.264 requires a per user license fee paid to MPEG LA until 2027 when the
patent runs out: [http://www.zdnet.com/article/a-closer-look-at-the-costs-
and-...](http://www.zdnet.com/article/a-closer-look-at-the-costs-and-fine-
print-of-h-264-licenses/)

AAC also requires a per unit license for anyone who manufacturers or
developers of a codec: [http://www.vialicensing.com/licensing/aac-
fees.aspx](http://www.vialicensing.com/licensing/aac-fees.aspx)

So no, neither of them meet the 3 requirements I laid out.

~~~
nsgi
What does that have to do with EME?

~~~
joshAg
I didn't bring up EME. I just want a video tag with mandated support for at
least one totally unencumbered audio and video codec. The suggested codecs
aren't unencumbered, and currently there isn't any mandated codec wrt <video>.

