
Tim Berners-Lee approves Web DRM, but W3C members have two weeks to appeal - acabal
http://defectivebydesign.org/blog/tim_bernerslee_approves_web_drm_w3c_member_organizations_have_two_weeks_appeal
======
pornel
W3C takes advantage of the ambiguity of what the EME spec and "standard" DRM
is. People unfamiliar with the spec may think it's the end of plug-ins and a
spec for a DRM that is somehow open, implementable and cross-browser.

It's nothing like it. It's a small JS API that launches the same old, fully
closed, proprietary DRM solutions. The NPAPI has been replaced with DMCA-
protected interface, and previously separate DRM plug-ins are now called
"modules" and shipped with the browser.

It's as if Chrome, which ships with Flash bundled-in, created a "HTML
Multimedia Extensions" spec with just `navigator.launch("com.adobe.flash")`
for launching "Multimedia Modules" (details of which are out of scope of the
spec), and hailed it as the end of the non-standard Flash and plug-ins.

~~~
om2
I think that is a bit of an exaggeration. First, for some browsers, the DRM
scheme is built in, not any kind of plugin architecture.

Second, without EME, the state of the art for DRM video was to run the whole
playback path through a plugin. Now, only the DRM bit is generally going to be
hidden in binary blob (whether plugin or not.)

This has some important advantages:

* Web content authors can build video players using the same technology stack (HTML5 video+JS) for DRM-ful video as for DRM-free video. No need to learn a whole different plugin environment for this case.

* Video playback only has one code path, instead of totally separate browser and plugin video pipelines. Video codecs are complex, so this means less security attack surface.

* The browser's built-in playback is generally much more power-efficient, meaning more video viewing time on battery for your Netflix/Amazon/Hulu/etc video content.

* Even if the DRM scheme is some form of plugin, it needs far fewer capabilities than a plugin that has full video playback, live streaming, a scripting environment, etc. So it's less of a security risk

* Flash and Silverlight especially were common sources of critical security vulnerabilities and they'll be out of the picture.

* With approaches like MPEG Common Encryption[1], a single encrypted media resource can be used with multiple DRM schemes. This helps content hosts save on storage, and it makes it materially easier for new browsers to enter the market, since they don't have to ask content providers to host a whole separate copy of the video.

The continuing existence of DRM is admittedly not ideal. But supporting it in
the browser instead of solely in the separate world of plugins has major user
and developer benefits, as described above.

[1]
[https://en.wikipedia.org/wiki/MPEG_Common_Encryption](https://en.wikipedia.org/wiki/MPEG_Common_Encryption)

~~~
chii
> same technology stack (HTML5 video+JS) for DRM-ful video as for DRM-free
> video

this isn't a pro in my books - i want DRM to be a difficult and cumbersome
stack to use. More specifically, i want the end user to go through hassle to
obtain the proprietary plugins, so that the end user feels the hurt from DRM.
This makes a non-DRM version much more simple to view (just click and play),
so that users would vote with their wallet, and use the non-DRM version (and
avoid the DRM version).

If making DRM video easy to play for end users is the goal, then yes, web-DRM
is doing it. But it will make DRM more prevailent, as end users will have no
reason to try avoid DRM, thus, making web less open.

~~~
agentdrtran
> i want DRM to be a difficult and cumbersome stack to use. More specifically,
> i want the end user to go through hassle to obtain the proprietary plugins,
> so that the end user feels the hurt from DRM.

so you want to make stuff like netflix as much of a PITA as possible? why? why
be this vindictive?

~~~
josteink
> you want to make stuff like netflix as much of a PITA as possible?

Not op but yes, using DRM in a browser should be hard.

Netflix should just make a native app, like everyone else who needs drm do.

This clearly scopes what is open and webby and what is closed and DRMy.

Nobody has issues installing Spotify to stream music. What makes Netflix
special?

~~~
hsivonen
> Netflix should just make a native app, like everyone else who needs drm do.

The native app security model on desktop (i.e. can do anything) doesn't make
the notion of letting streaming services run native apps look so great.

Do you really prefer giving streaming services (not just Netflix but others
too) fully-privileged code execution instead of having an operating system or
browser vendors exercise some oversight?

------
fixermark
Ultimately, the actual standard of the web is the behavior implemented by
major browser vendors.

Assuming the W3C committee voted down the EME standard, at this late point in
the game and with no competing standard to satisfy the use case, what stops
Google, Mozilla, Apple, and Microsoft from just implementing the standard as-
drafted without the W3C's sign-off?

At that point, the browsers will be enabling functionality that browsers that
don't implement EME support can't enable, media channels can take advantage of
EME-supported encryption modules, users will see less functionality in other
browsers and therefore have soft incentive to migrate away from other
browsers, and it becomes incumbent upon the W3C to either release
documentation describing already-existing browser functionality (as they've so
often had to do) or be ever-so-slightly inaccurate as an authoritative source
for describing web standards.

~~~
asadotzler
Nothing stops them, and in fact each of the major browsers have already
implemented EME.

~~~
kibwen
Chrome has been using EME with Netflix since early 2013. This fight was lost
years ago.

~~~
bad_user
The point of web standards isn't to stop browsers from implementing anything
else. Such a viewpoint is naive, that's not what W3C is.

Back when IExplorer had a 90% market share, you could have argued that ActiveX
needs to be a web standard. But it wasn't considered a standard even if it was
a de facto one and now ActiveX is gone.

I must be getting old if I'm talking with people that don't remember the
browser wars or what web standards are about.

~~~
epistasis
I've been around since the browser wars, and disagree with your
characterization here. Standards don't serve marketshare, they are about
interoperability and documentation.

A single user-agent technology shouldn't be standardized because that user
agent has large marketshare. A tech should be standardized because multiple
user agents want to use it, and be interoperable. The ActiveX comparison
doesn't make much sense to me.

~~~
bad_user
"User agents" serve the market. The market wanted ActiveX. There were many
companies and government institutions requiring ActiveX for their interfaces.

Mozilla could have implemented ActiveX btw, but they took a stand against it.

So by your definition, what does "many" mean? Is it more than one? More than
two perhaps? Should it be all of them?

What if I create a browser and announce that it will not support DRM. If
market share isn't important, shouldn't this proposal be dropped?

Yes, web standards are about interoperability, but the problem is that DRM
being fundamentally broken it means that open source browsers running on open
platforms won't be able to "interoperate", which in my book means that this
can't be a standard.

~~~
epistasis
I had a long reply, but when I went back and read your original comment, I
realized I was just restating a portion of your original comment but with far
more words. So I think I'm being unnecessarily contentious.

Standards serve the purpose of when user agents _want_ to interoperate, so
Mozilla was definitely ok with not implementing ActiveX, just as they would be
ok with not implementing EME.

But if Chrome and Safari and Edge all want to interoperate with EME, they're
going to do that. Whether it's a W3C standard or a WHATWG standard, or an RFC,
or a IHateFreeSoftworeSociety standard doesn't really matter. It's just
whether W3C wants to be part of the conversation or not. I see little benefit
and little downside to having it be a W3C standard vs. anything else. Or even
for that matter, whether the term "standard" is used; even if it's somehow
disallowed it's still the same situation.

------
seltzered_
A younger version of myself would be against Web DRM, but these days I wonder
if there's a potential for it to help in democratizing distribution among
indie content producers. Ideally I'd have some time to piece together an
essay, but the major points are:

1) Ted Nelson's vision on how Project Xanadu would have some form of copyright
protection / micropayments for authors.

2) Independent content creators that have called it quits. There's tons of
examples, but here's one that highlights issues:
[http://www.tonycomstock.com/2011/09/12/why-i-dont-make-
movie...](http://www.tonycomstock.com/2011/09/12/why-i-dont-make-movies-
anymore-and-what-i-do-instead/)

I guess I see a vision where webDRM is an improvement over the walls of 'Apps'
where content may not be DRM-free, but at least be linkable/URL-addressable.

(Disclaimer: I'm writing this without actually reading into the WebDRM spec,
so feel free to criticize)

~~~
mmagin
Has DRM ever actually stopped piracy?

~~~
seltzered_
No, but maybe we need to look at it from relative numbers.

Example: DRM music hasn't stopped music piracy, but better models for the
content distribution (i.e. DRM music platforms like spotify, etc.) have
demotivated more people from bothering to pirate music.

~~~
Tostino
The fact that spotify has DRM is inconsequential to it, and those like it
stomping out a ton of music piracy. It's all about the distribution model, and
the DRM is just to make the rights holders happy.

~~~
josteink
But Spotify is a native app.

It can have all the drm it wants. It's not part of the open web.

~~~
scotty79
I always listen to spotify through web browser. I think it uses flash then.

------
soapdog
What many people that are on the periphery of this discussion sometimes fail
to realize is that DRM is already here and already employed by many companies.
The current DRM solutions are basically roll-your-own and each company has
their own custom stuff which may or may not be vulnerable to attacks and
steal/fingerprint the user thus affecting their privacy. This is the current
state of things.

The EME/DRM spec is a bit different in which we still have DRM and it still
sucks, but this DRM is now running on a sandbox environment and is
standardized which makes it much easier to audit and a lot safer to use in
terms of privacy for the user.

Of course "no DRM" is a better solution than "any DRM", but that is a
pointless debate because content distributors are already onboard with DRM and
there is no turning them back. The W3C spec is a compromise, a solution that
enables those wanting to use DRM to be able to do so while we maintain some
method of sandbox, privacy and safety. Running a module in EME/DRM is probably
much safer than doing the same thing now with custom browser plugins.

As for the discussion of "browser X should not implement it, traitors!!!! Hate
you forever!!! Will switch to $MORE_PROPRIETARY_ALTERNATIVE" is also a
shortsighted argument in my opinion. If a browser doesn't implement EME/DRM
spec, they shut their users out from being able to use many websites that
employ DRM and what will happen is that that browser will loose users. If
every single browser said "no to DRM" except for a single one, you'd see
everyone installing that browser just to be able to play Netflix.

No browser can afford to loose millions of users by not implementing the spec.
Those users matters. In terms of browser vendor political weight in spec
discussions, user count matters. The DRM battle is a lost one because the
content producers/distributors already decided to use it.

Now, if you're against DRM, instead of complaining about W3C spec'ing it out
and browser vendors implementing it. You should stop using DRM content. No one
is stopping anyone from preferring non-DRM solutions. For example, I don't
like light beer, the existence of light beer sounds wrong for me, so I don't
drink it but I don't try to stop others from drinking said watery yellow-ish
drink. It is the same thing with DRM, instead of focusing your actions on W3C
and browser vendors, focus your effort in content producers/distributors,
prefer other solutions, make them ponder if it is worth loosing you.

~~~
syshum
>>but this DRM is now running on a sandbox environment

I see this said many times, and it is highly over rated. while Technically
speaking yes it calls for a "sandbox" but the need for "Computer Verification"
means the CDM has to have full access to the entire system to verify the evil
user is not attempting to capture the output. So the sandbox is not really
protecting much unless the operating system itself has the CDM integrated as
is the case for Windows. So on windows the CDM might be in a functional
sandbox but on linux or any other non-proprietary system it is unlikely the
sandbox will protect the user from a bad CDM, and given windows track record
for security I would not put much faith in their sandbox either.

On the security front I do not believe it has changed much, this idea that the
CDM will be more secure seems to be more PR Marketing than actual fact.
Further given the refusal of companies to sign onto a Non-Aggression Pledge to
protect researchers from DMCA liability it is likely any security issues in
the CDM's will go unreported for fear of legal repercussions.

>>>Now, if you're against DRM, instead of complaining about W3C spec'ing it
out and browser vendors implementing it. You should stop using DRM content.

Why can a person not do both? Why does a person that has ethical problems with
DRM, and view the actual existence of DRM is a threat to their personal
liberty be silenced or told to STFU as you have here?

Bad ideas, like DRM, should be continually criticized until they are dead.
Vocal opposition as well as monetary boycotts are both valid and should be
used to oppose bad ideas like DRM

One of the reason people are opposing video DRM so strongly at the w3c level
is we fear it will not stop with Video. Images, Ebooks, Fonts even the web
pages themselves are all a target for DRM Supporters. There will come a time
that the F12 tools will be useless because the entire page itself is being
served via a locked down CDM style plugin. This is just the first phase of
killing the Open Web in its entirety

~~~
icebraining
Regarding the sandbox, that's not correct on all browsers:

 _[I]n Firefox the sandbox prohibits the CDM from fingerprinting the user’s
device. Instead, the CDM asks the sandbox to supply a per-device unique
identifier. This sandbox-generated unique identifier allows the CDM to bind
content to a single device as the content industry insists on, but it does so
without revealing additional information about the user or the user’s device.
In addition, we vary this unique identifier per site (each site is presented a
different device identifier) to make it more difficult to track users across
sites with this identifier._

[https://hacks.mozilla.org/2014/05/reconciling-mozillas-
missi...](https://hacks.mozilla.org/2014/05/reconciling-mozillas-mission-
and-w3c-eme/)

~~~
syshum
A lot has changed since 2014, including the adoption of Google Widevine CDM
over Adobe Access CDM.

The sandbox has also changed as have the requirements from vendors and content
provider. and while firefox has protected the user better than others, this is
also why Firefox is restricted to 720p by all content providers and will
likely never get anything more than 720p because they do not allow the deep
Operating system inspection and bypasses required to allow for HD and 4K
content.

Currently only MS PlayReady on windows 10 is allowed to play back Netflix 4K
content because PlayReady is built into the Operating System and treats the
User as the enemy.

Mozilla in their ever ending chase to recover some market share has proven
time and time again they will sacrifice privacy, and their more Technical User
base in order to keep up with Chrome and get back some "regular users" So if
Netflix says "We will give you HD content if you drop the sandbox and give
widevine full access to the users system" I have little reason to believe
Mozilla will not say "Yes Sir Mr. Hastings, anything you want"

------
Steeeve
DRM is a non-starter and is in reality defective by design.

Pirates have created markets where there were none and are an important part
of every entertainment eco-system. It's been that way since the beginning.

This is just another in a long string of bad decisions that attempts to give
major distribution channels far more control than they deserve or could ever
manage responsibly.

If you want to make money in entertainment, the business plan is simple. 1.
Get people to like you. 2. Find a way for those people to get you money. You
don't need Google, Netflix, Apple, NBC, CBS, ABC, RKO, ClearChannel, or
anybody else that inserts themselves between you and your customers. None of
them provides enough real value to anybody who didn't already have a market
before leveraging them.

The fact that this standard is coming to be is just plain silly, but it does
no harm in and of itself. All of the potential problems are today's reality. A
rubber stamp by W3C implementing a tag in the HTML spec and blessing a
workflow change nothing.

The FSF is stirring up noise without providing links to what it's talking
about. I presume it's this: [https://www.w3.org/TR/encrypted-
media/](https://www.w3.org/TR/encrypted-media/)

The workflow isn't particularly well thought out - it's not significantly
different than what RealMedia or Adobe have had put together for a generation.

The real downside is the fact that browsers will be further plagued with vague
integrations. Those integrations will all carry security ramifications that
nobody cares to consider until a major exploit is publicized. The fact that so
many people are willing to sacrifice their security for access to a 12 year
old lionsgate video is beyond me, but such is the nature of the world we live
in. Like I said before though... that is a problem that browsers face today.
The new "standard" doesn't change much in reality.

~~~
kodablah
> The fact that this standard is coming to be is just plain silly, but it does
> no harm in and of itself.

I disagree that it does no harm. I agree with this quote from the article:

"If EME is ratified by the W3C, the FSF expects it to cause a long-term
increase in the amount of DRM on the Web, by simplifying the DRM
implementation process for streaming services."

Standardization is explicit support and encouragement.

~~~
Steeeve
Forgive me for having a differing opinion, but just to clarify.

I would agree with the FSF statement that there will be more DRM on the web.

Where I differ is that I believe it would happen regardless. If it's not
standard DRM, then it's Apple DRM and Windows DRM... like we already have.

> Standardization is explicit support and encouragement.

Standardization shouldn't be about good or bad. If enough people want to do
something, there should be a standard.

Having said all of that, please don't get me wrong. I'm just clarifying how I
feel. I do tend to have unpopular opinions. I don't have a dog in the race and
I would be perfectly OK with DRM in general being rejected by the W3C because
it is a terrible concept that ends up being paid for by consumers.

~~~
chii
> If it's not standard DRM, then it's Apple DRM and Windows DRM... like we
> already have.

which is fragmentation, and bad for businesses that want DRM, but don't want
to _pay_ the cost of fragmentation. By adding it to an open standard, they no
longer need to deal with end fragmentation (which causes end user a bad
experience). But the solution was never to standardize on DRM, but to
standardize on _non-DRM_ formats! The pirates can obtain content regardless -
DRM only hurts consumers in the long run.

~~~
icebraining
This standard doesn't actually define any DRM formats, each EME module
supports whatever formats it wants.

------
II2II
Everything that I have read suggests that this is standardizing what has
already happened with video, which is a great deal better than the bad old
days when companies relied upon Macromedia/Adobe for video streaming. (Or
worse, a plug-in from an obscure company with an unknown track record).

As much as I would like to avoid DRM, relatively few producers are going to
budge on the issue. The only options are standardized DRM, non-standardized
extensions to provide DRM, or simply doing without. None of the options are
particularly desirable. This one is likely the best of the three.

~~~
__jal
I disagree. "Doing without" seems the most sensible to me.

There is no rule that industries whose business is built on copyright need to
be able to live in the browser. Netflix demonstrated that quite nicely. Just
because the _want_ it doesn't mean they should get it. I personally cripple
EME on my browsers, and if your content won't display for me, I'll happily go
elsewhere. (Haven't had the problem yet, but fully expect to.)

It is bad enough, but unsurprising, that the closed browsers would go along
with user-hostile bullshit like this. That Mozilla did, I find appalling.

~~~
javajosh
Well, "doing without" is certainly the principled stand. But there is a lot of
(almost certain, moderate) pleasure hiding behind one of door #1 (EME) or door
#2 (torrent), and it is difficult indeed to go through door #3, (not this
pleasure).

~~~
Simon_says
I fully expect torrenting to be made impossible or obscenely impractical and
cumbersome inside the next couple decades. The rightsholders are too
politically connected, and the general populace too apathetic and ignorant.

------
samsonradu
Can EME prevent people from doing 30fps screengrabs of their screen and dump
all into an mp4 file using FFmpeg or such?

As someone else pointed here:

> You can't simultaneously give us the content and not give us the content.

~~~
the8472
The server can send an encrypted blob to your browser which hands it off to
the DRM module which can hand it off to the system's ring -2
PAVP/Trustzone/etc. stuff that only runs signed firmware which passes it
encrypted over the PCIe bus to the gfx hardware which passes it encrypted via
HDCP2 to the monitor.

So in principle fully encrypted paths that can'e be screengrabbed exist. Not
all DRM makes use of those components because it excludes users which don't
hardware which supports it. But it is there.

~~~
samsonradu
Thanks for the detailed description.

> .. which passes it encrypted via HDCP2 to the monitor.

And where does the decryption actually takes place?

> EDIT

[https://en.wikipedia.org/wiki/High-
bandwidth_Digital_Content...](https://en.wikipedia.org/wiki/High-
bandwidth_Digital_Content_Protection)

> In order to make a device that plays HDCP-enabled work, the manufacturer
> must obtain a license from Intel subsidiary Digital Content Protection LLC,
> pay an annual fee, and submit to various conditions.[5][6][7] For example,
> the device cannot be designed to copy; it must "frustrate attempts to defeat
> the content protection requirements";[7] it must not transmit high
> definition protected video to non-HDCP receivers; and DVD-Audio works can be
> played only at CD-audio quality[7] by non-HDCP digital audio outputs (analog
> audio outputs have no quality limits).

This sounds quite far-fetched though. I'm quite sure we're going to see people
literally recording their TV screen with a hand-camera soon.

How about the case where the hardware doesn't support it. Would screen-
grabbing be possible then? Where will the decryption take place in that case?

~~~
kevin_b_er
> How about the case where the hardware doesn't support it. Would screen-
> grabbing be possible then? Where will the decryption take place in that
> case?

You don't get the content then. Full stop.

~~~
gsnedders
With many providers, you do still get the content, just limited to 480p.

------
MikeTaylor
If the W3C does this, it will be time -- regrettably -- to turn away from that
organisation and make a completely new one that exists to serve users of the
Web rather than those seeking to monetise it. That Tim Berners-Lee has lent
his name to this hijacking is shameful.

~~~
gue5t
How are we to deal with the problem that the browser developers are also on
the side of monetization?

------
emilfihlman
I don't understand the point of WebDRM.

You can't simultaneously give us the content and not give us the content.

WebDRM is broken by default and pushing it is just absolutely retarded.

~~~
jandrese
As dumb and broken as it is, the state of the world is such that you can't
deliver most video without something like it.

So the options are:

1\. Stick to your guns and keep it out of the standard, free browsers will be
unable to play Netflix, Hulu, HBOGo, BBC, etc... Propriety plugins that only
work on one browser and/or one platform will exist and be annoying and buggy.

2\. Give in and allow this braindamage in the standard because it means most
browsers will be able to support video streaming from most sites.

3\. Convince the MPAA and all of their members and all of the worldwide
organizations like it that DRM is bad and that they should stop demanding it.

In the realm of what the W3C can accomplish, #2 seems like the least worst
solution.

~~~
bad_user
Option 1 is the best because playing DRM content should be Netflix's problem.

Why in the world would you want to subsidize Netflix's development?

So what if Netflix's DRM plugin would be proprietary and buggy? Heck, that's a
window of opportunity for DRM-free competition.

By making it a standard it means that we'll never, ever get rid of it. Even if
DRM is fundamentally flawed.

#2 is in fact the worst solution.

~~~
zamalek
> Option 1 is the best because playing DRM content should be Netflix's
> problem.

By not making it a standard we'll make sure that Neflix never, ever comes to
Linux. That guarantees that proprietary operating systems, browsers and
hardware will always be prevalent.

> By making it a standard it means that we'll never, ever get rid of it.

<marquee> and <blink> were standards. NPAPI was a quasi-standard.

Black-and-white worldviews are often accurate albeit negligently unrealistic.

~~~
AnssiH
> By not making it a standard we'll make sure that Neflix never, ever comes to
> Linux.

Netflix already works on Linux, with Chrome and Firefox:
[https://help.netflix.com/en/node/23742](https://help.netflix.com/en/node/23742)

It uses EME with closed-source CDMs bundled with the browser (Chrome) or
downloaded by the browser (Firefox).

~~~
jandrese
My understanding is that it's using basically what the W3C is now considering.
The browser manufacturers already decided on this months ago and implemented
it. Now the question is if it becomes part of the standard so there aren't
annoying differences between each browser.

------
deepnet
“Under the spreading chestnut tree I sold you and you sold me"

Orwell, 1984 - A very sad day, a very poor decision:

"Today, the W3C announced that it would publish its DRM standard with no
protections and no compromises at all, stating that W3C Director Tim Berners-
Lee had concluded that the objections raised "had already been addressed" or
that they were "overruled."

"EFF understood that the W3C had members who wanted to make DRM, so we
suggested a compromise: a covenant, modeled on the existing W3C member-
agreement, that would require members to make a binding promise only to use
the law to attack people who infringed copyright, and to leave people alone if
they bypassed DRM for legal reasons, like making W3C-standardized video more
accessible for people with disabilities.

This was a very popular idea. It was endorsed by Unesco, by the Internet
Archive, by the creator of the W3C's existing membership agreement, by
hundreds of top security researchers, by the competition expert who coined the
term "Net Neutrality", and by hundreds of human rights organizations and
activists from the global south. The Open Source Initiative amended its
definition of "open standard" so that DRM standards could only qualify as a
"open" if they protected legitimate activity.

Now, it's fair to say that the W3C's DRM advocates didn't like the idea. After
a perfunctory discussion process (during which some progress was made), they
walked away from the negotiations, and the W3C decided to allow the
standardization work to continue despite their unwillingness to
compromise."[1]

[https://www.eff.org/deeplinks/2017/07/amid-unprecedented-
con...](https://www.eff.org/deeplinks/2017/07/amid-unprecedented-
controversy-w3c-greenlights-drm-web)

------
mark_l_watson
I have only had one long conversation with TBL, but he appears at least to me
to have his heart in the right place. I met him at the Decentralized Web
Conference June 2016.

I want two things, at least, from the web:

1\. An open platform where I can post content on my own web site, link to
other people's web sites, and let them link to my sites.

2\. I like to buy access to entertainment: Google Play Music and Movies,
Netflix, Hulu, and HBO Now.

Ideally I should be able to have both of theses modes of using the web, and
people who don't want DRM should be able to disable DRM and rent Bluray
movies, check movies out of their local libraries, etc. There are some
producers, like Spiritual Circle Cinema and others, who sell DRM free video.

I would like to see everyone get everything they want from the web.

------
davexunit
This truly is the death of the open web. I hope the appeal is successful.
Freedom seems to be losing on all fronts these days.

~~~
tveita
> This truly is the death of the open web

About as much as music DRM was the death of music players. And as we all know
the only way to play a music file today is to buy them in the Microsoft Zune
store and squirt them over to your FairPlaysForSure(tm) certified KindlePod.

It's not a _good_ thing; it lets some very big actors hurt themselves and
their paying customers by still pretending that people will eventually come
around to paying more for inferior service if only they force feed enough "you
wouldn't download a car" ads to their dwindling customer base, and it
encumbers the browsers to support yet another legacy standard that will be
used only by exploit writers in ten years time.

But in the end this is never going to prevent you or anyone born after the
sixties from accessing any significant piece of content. It is only going to
stop you from going out of your way to pay for it.

I guess if YouTube started putting DRM on everything, that would reach the
level of 'annoying'. Is there any indication they would do that?

~~~
izacus
Right now DRM is the death of you being able to preserve the TV shows you love
(they'll just disappear from Netflix after some time and you're not allowed to
download them even if you paid for them), the death of being able to watch
things on planes and the death of being able to watch things if one of your
increasingly unreliable ISPs drops a connection.

~~~
agumonkey
What if it was legally bound that a securing tech (enforcing users not to
abuse content) HAS to be opened in case of future demise of the author company
?

If Apple and iTunes suddenly crash, they have to make a tiny effort into
releasing a conversion/stripping tool and/or open source the system so that
ex-customers can at least attempt to help themselves.

~~~
endgame
If a business is failing THAT BADLY, they're not likely to have resources to
implement the safeties. And if they don't, who's going to get in trouble?

~~~
izacus
It's not about businesses failing - content disappears from Netflix and other
services all the time. Shows people were watching previous month regularly
disappear even though people pay for service. And DRM prevents them from
exercising the legal right (in most juristictions, even US) to make private
copies and watch them later. Remember VCRs and DVR devices? We changed laws to
explicitly allow that.

------
eveningcoffee
I think all people who think that this will end with media only are naive.
Next step is DOM.

~~~
problems
Let's encrypt the DOM in our open source browser... wait what?

EME is pretty great for cracking too - they enable rendering with the
browser's own video engine, giving you a nice "hook to dump pre-decoded frame
here" point.

~~~
the8472
Not necessarily, the CDM can offload the rendering to protected hardware
pipelines instead of the browser's usual video rendering.

[https://www.w3.org/TR/2016/CR-encrypted-
media-20160705/#medi...](https://www.w3.org/TR/2016/CR-encrypted-
media-20160705/#media-element-restictions)

------
idibidiart
The Web in Chains. The symbolism behind the "inventor" of the web signing on
this is sending the wrong message to the young ones (the new generation) that
idealism must give way to pragmatism and money interests.

Terrible, IMO.

------
bcheung
What's the reason DRM can't be implemented as an open-source solution? Is the
closed source just to prevent people from easily accessing the secret key or
are there other reasons it needs to be closed source?

~~~
benchaney
DRM is fundamentally security by obscurity. Being closed source is the only
way to maintain obscurity, and thus the illusion of security.

~~~
ngneer
I disagree. Technologically it is possible to build a content protection
system without obscurity, using open source software and open source hardware
(and suitable cryptographic bootstrapping). That no one chooses to do so is
another matter.

~~~
frivoal
How so?

The effect of DRM is to prevent the user from doing things that would
otherwise be technically possible, such as copying. Once the software has
decrypted the media, it can do whatever it wants with it. It is just so
designed that what it wants to do with it is not the same as whatever the user
wants to do with it.

Free or open-source software give the right and the ability to the user to
modify what the software does. So if a feature is missing (save a backup
copy), the user can add it (or pay someone to).

I piece of software cannot at the same time: * be able to decrypt a video * be
able to be changed at the users' will * be prevented from doing certain things
the user wants.

If you merely write a piece of open-source software that lacks the ability to
save a copy, you merely have a missing feature that can be added by anyone who
wants to fork it, you are not preventing copying.

If the decryption is done in hardware, the problem is the same, just shifted.
If people have the ability to change the hardware, then we're back to square
one, and if they don't, then it's not a free/open-source system.

~~~
kelnos
I think the parent's point is that it's absolutely feasible to build hardware
and software that successfully enforces a DRM scheme, and also release the
specs for the hardware and the source of the software.

That doesn't mean that a content producer will verify any old (modified)
version of the software and allow it to play (and possibly "leak") their
content.

Put another way: it's possible to build a secure DRM pipeline and then release
all the source to it while maintaining the security of _that particular
version_ of the pipeline. It's perfectly possible (cryptographically) to set
it up so an unmodified version of that pipeline will be able to play protected
content, while modifying it to (for example) dump decrypted bits to disk will
cause the content to fail to play at all.

~~~
chii
but what part of the pipeline is responsible for the verification of the
'unmodified' trait?

If it's a part that's open-sourced (hardware or software), then won't it
simply be _modified_ to allow it to pass and allow extraction of decrypted
content?

If it's _not_ open-source, then you don't have a fully open-source DRM scheme.

~~~
ngneer
open source does not imply modifiable

~~~
vurpo
From the Open Source Definition:

> 3\. Derived Works

> The license must allow modifications and derived works, and must allow them
> to be distributed under the same terms as the license of the original
> software.

------
BlackFly
If false DRM initiatives are what it takes to get browsers to implement proper
crypto modules, then sign me up.

Obviously it can't be used for DRM, I will just capture the frame and redirect
it to a codec to re-encode the stream. Alternately, I can just stream it
somewhere else.

On the other hand a secure place to store keys, free from the reach of plugins
and javascript would be nice.

------
mehh
Yeah thats fine, freedom of choice and a better experience for users, sounds
pragmatic to me.

Much better than the many posts here trying to force their opinion on the
world!

------
jancsika
Anyone know if the EFF plans to throw some of their weight behind this
particular appeal?

~~~
frivoal
I believe they want to, but the appeals process is an untested one, and will
be evaluated by the same people who made the original decision. Don't get your
hopes too high.

------
shmerl
That's a shame. He should know better than to approve this unethical garbage.

------
mitchty
I can't wait until this gets used by malware!

~~~
wmf
Can you explain how malware could benefit from EME? Note that EME only applies
to video.

~~~
fixermark
The reasoning goes that EME is a standard that specifically allows for
attaching a closed-source black-box to the browser in a standardized way. This
code is not auditable by outside sources, and therefore could be a breeding
ground for malware and exploits (standard open-source philosophy that
"sunlight is the best disinfectant"\---many eyes on open source software
minimizes the opportunities for exploitable bugs to hide). We've seen codec
software---even open-source codec implementations---used as an attack vector
in the past.

This reasoning, IMHO, ignores the fact that the user-agent still asks for
consent, so the user may choose not to allow anything they can't audit. It's
just the "Do you want to allow Flash to play this cool video?" story all over
again.

~~~
danudey
Presumably they feel the same way about all closed-source browsers?

Also, the comparison to Flash is not quite right. For example, Flash was an
entire black-box, top to bottom, with a runtime, codecs, UI, a JS engine,
etc., which downloaded code from the internet to run it.

Web DRM, on the other hand, is a standard that allows for an encrypted video
stream to be decrypted. The only differences that I can see between this and
the current state of web video are that now the stream can be encrypted.
Everything else is still using Javascript, HTML, CSS, HTTP, h.264/265, etc.

The thing that gets me is that open-source browsers are free not to implement
this extension if they're not comfortable with (or opposed to) it. The theory
is that if companies start encrypting their content then open-source browsers
will have to follow suit, but we already have that kind of junk; the
difference is that now, with EME, we can keep 99% of the stack open standards,
open-source, and auditable, rather than having to rely on Flash or Silverlight
to do our decoding.

EME isn't the death of the open web, it's the death of the closed web. It's
the death of awful, insecure, and obsolete technologies like Flash and
Silverlight by taking the one single thing they're still good for and moving
it to the browser. If EME failed and no one implemented it, Netflix wouldn't
just stream their content unencrypted; they'd keep using Flash or Silverlight,
or maybe implement something themselves so they didn't have to.

~~~
gsnedders
> For example, Flash was an entire black-box, top to bottom, with a runtime,
> codecs, UI, a JS engine, etc., which downloaded code from the internet to
> run it.

And, notably, the DRM modules can be sandboxed far more than Flash can.

------
TheAceOfHearts
EME is useless garbage. It's one of the first things I disable when I install
Firefox. I can't do much, but I boycott any service that uses it.

------
AndyMcConachie
I have given money to the FSF for years and will continue to do so as a
member. However, I do not support them in this fight. Berners-Lee is doing the
right thing here.

~~~
aerovistae
Can you elaborate on that? Why do you believe this?

~~~
AndyMcConachie
The choice we're faced with is either we get some standardized DRM in browsers
or we get unstandardized DRM in browsers. That's the choice.

I've had email discussions with people at the EFF about this and we basically
just had to agree to disagree. Their interpretation of the choice we're making
is that we either get DRM in browsers or we get some magical fairy-tale land
where DRM suddenly ceases to exist. I don't buy it.

Plus, as a Netflix subscriber I don't really mind DRM that much. Feel free to
ask away, I'm always willing to talk about this.

