
W3C Proposal from MS, Google, Netflix for adding copy protection API to html5 - ldite
http://dvcs.w3.org/hg/html-media/raw-file/tip/encrypted-media/encrypted-media.html
======
dthunt
Since nobody else is saying it.

The issue with this proposal is that it it creates a segmented web, whereby if
a vendor does not ship a "CDM" for a particular platform, you will never see
DRM'd web content for that platform.

To those of you who are thinking "Woo! Now there's any easy way to get my
license keys!" you have missed the part where there's a media layer
interacting with a DRM stack - this is essentially the same situation as
today.

The only thing this does is give blessing to break principles of universal
computing. I am opposed.

~~~
AndrewDucker
So, much the same as at the moment where if there isn't a version of Flash (or
Silverlight) for a particular platform then you can't watch
Netflix/Hulu/Whatever.

~~~
TeMPOraL
Point me to a platform without Flash support.

EDIT:

I meant, show me a platform where users can't get Flash for free easily. AFAIR
on Windows, Unix and MacOS (I used only the first two) you can just download a
free player...

~~~
planb
<http://www.apple.com/ios/>

However - I don't think Apple would implement these extensions in Safari...

~~~
TeMPOraL
Ok, fair enough.

------
malandrew
Personally I see this as a short-term gain for MS, Google and Netflix and a
long-term loss for everyone else. If we implement this, then we delay a web
where copyright enforcement, except in cases involving the most egregious
violations prosecutable in court, is viewed as the exception rather than the
rule.

I am opposed. Leaving out DRM helps establish new social norms that benefit
the commons over individual players. We all end up richer in the end.

~~~
Legion
That doesn't work if you can't get content providers in the door.

My attitude towards DRM changed somewhat when I saw what happened with the
online music stores. DRM was absolutely required for Apple to get major labels
to the table. Then, over time, DRM was chipped away, to the point where the
iTunes Music Store is DRM-free, Amazon's MP3 store is DRM-free, etc.

If we can skip the DRM phase entirely, sure, I'd be on board. But is that
realistic?

~~~
malandrew
Content providers will be forced through the door by competition from copyleft
and creative commons content.

Competition is the easiest way to combat DRM.

The presence of DRM legitimizes a social norms of restriction. The lack
thereof legitimizes social norms of sharing.

DRM is a tangible embodiment of the the tragedy of the commons. DRM is
analogous to a series of electric fences partitioning off the commons so that
only some cows from some individuals can graze in certain places, but no other
cows can graze there. People will invent electric fences for use in chipping
away at the commons, but it would be a disaster for society to standardize the
electric fences so that anyone can chip away at the commons effortlessly.

I'm of the opinion that if some entity wants to cripple their content with
DRM, that is their prerogative, but they shouldn't get help from W3C and other
bodies creating open standards.

On top of all that, as a developer, DRM is one more layer of bullish*t to deal
with. I'm perfectly happy paying for APIs based on usage. I connect, you
measure, you charge. Last thing I want to encounter are APIs which require me
to implement a cumbersome layer of DRM to use content.

Lastly, I can only see the presence of DRM reducing accessibility of content
for special needs users, such as the blind, because any form of DRM is likely
to reduce how you can manipulate content. What if the DRM prevents close-
captioning? text-to-speech? Addition of semantic data? etc.

DRM is wrong. It doesn't not produce a better environment for the consumer
because it reduces competition.

DRM introduces friction. Friction reduces "liquidity". Lower liquidity results
in a smaller market with fewer options.

REST vs SOAP is a perfect example of unnecessary friction in a "technological
market". A market with DRM would have the same impact on innovation as a SOAP-
based market.

~~~
Silhouette
> DRM is wrong. It doesn't not produce a better environment for the consumer
> because it reduces competition.

The fundamental flaw in your argument is that you assume we would still have
the same content available to consume without DRM.

However, the whole reason to allow copyright in the first place is to create
an economic incentive for those who can to create and share works. And the
whole point of DRM is that people weren't honouring copyrights, so the
incentive wasn't working. Clearly there is not sufficient incentive for the
major content producers to share their movies via on-line systems without DRM
right now, because they have almost unanimously refused to work with such
systems, and no-one has been able to force them to do so through commercial
pressure.

> A market with DRM would have the same impact on innovation as a SOAP-based
> market.

The market already has DRM, and there are more (legal) ways to get access to
the latest video content today than at any time in human history. But right
now, implementing adequate DRM takes more effort than it should, and _that_
has an impact on innovation by at best reducing the efficiency of services
working with DRM'd content and at worst rendering services that would
otherwise have been successful and beneficial to consumers commercially
unviable.

------
chjj
[http://lists.w3.org/Archives/Public/public-
html/2012Feb/0274...](http://lists.w3.org/Archives/Public/public-
html/2012Feb/0274.html)

Hixie's response: "I believe this proposal is unethical and that we should not
pursue it."

It's safe to say I'm very happy with Hixie being the editor of the html5 spec.

~~~
smackfu
Benevolent dictatorships are great as long as you agree with the dictator.

~~~
dthunt
I do rather wish he'd elaborate.

~~~
dthunt
As it turns out, he did elaborate (as did others):

<https://www.w3.org/Bugs/Public/show_bug.cgi?id=10902>

There's some vitriol from various parties in there as well, and all the points
you would expect from people trying to create an open, accessible, and
compatible presentation standard. Standards at its finest!

------
51Cards
I wonder if this proposal (which was inevitable eventually) is a direct result
of a couple things.

\- Apple decides (wrong or right) to not support Flash on a wildly popular
mobile platform

\- Flash begins its demise in general (again inevitable but IMO a little too
soon)

\- Adobe cedes further development on Mobile Flash

\- secure video content deliverers are immediately faced with loosing the only
existing "secure" video "standard" on the web and having to develop platform
specific solutions

\- a proposal is put forward to put DRM into HTML5 video (which it is going to
have to get eventually for ubiquitous adoption, like it or not)

That's the chain I see.. which may have pushed this HTML5 DRM thing to the
forefront before it has been properly hashed out. Not placing fault on any of
the parties there, just a chain of events to me.

~~~
mindslight
Don't forget the popularity of netflix/hulu/itunes and however else people are
duped into supporting the content cartels. The 'web' was on its way to
becoming a receive-only ghetto as soon as 'apps' started to replace static
pages. The money to be made by giving the masses a hip new cable TV is a nasty
accelerant.

~~~
icebraining
_The 'web' was on its way to becoming a receive-only ghetto as soon as 'apps'
started to replace static pages._

I disagree completely. It's now _much_ easier to create and distribute your
own content than it ever was, in great part exactly because of the new
interactive websites.

Youtube alone is a great example. Sure, it has plenty of old media content
(and plenty of abusive takedowns), but how many hours of amateur stuff is
being viewed every single day? Probably orders of magnitude more than there
ever was on the web ten years ago.

Then there's Flickr, Tumblr, Wordpress, Blogger, deviantART (140k
submission/day) and so many more.

Sure, Netflix, Hulu, etc are major players, but I don't think user generated
content is being replaced - TV is.

~~~
mindslight
Sure, the actual volume of publishing and types of content have increased, but
the range of abilities has dwindled. Users are only able to interact with each
other through opaque centrally controlled services where the middlemen choose
how and what the services support and approve (sound familiar?). Having
different executable code and a data silo for every implementation of the same
idea puts the users at the mercy of the proprietary services (see: any time
people whine about a website changing). Their only choice ends up being
_which_ company to resign themselves to.

~~~
notJim
> Users are only able to interact with each other through opaque centrally
> controlled services, where the middlemen choose how and what the services
> support and approve

Previously, normal users were unable to interact with each other at all. Do
you really think grandma/your uncle/etc would have learned to write HTML,
found a place to get hosting, and put it online, if only Facebook hadn't come
along?

Oh, and by the way, it turns out you have _even more_ options for putting your
HTML content online now [Heroku, AWS, Linode, Wordpress, Jekyll, etc], thanks
in large part to the financial and social capital influx that came to the Web
during the "Web 2.0" boom.

~~~
mindslight
"Normal users" certainly used email clients, installed web browsers, and used
local page-creation tools. That certain technologies have made these tasks
easier does not mean that those specific technologies were the only way
forward, or that those technologies are without drawbacks. Publishing Turing-
complete blobs clearly gives the creator the most freedom and power, but at
the expense of limiting the consumers' options to "experience content as
intended" or "don't".

My whole point is that this philosophy of server-knows-best is causing the
'web' to revert to the standard creator -> middleman -> passive consumer
chain. Of course many different "ways" of publishing are flourishing - those
are the middlemen!

------
kennu
If I understand correctly, this is to protect the content during delivery over
Internet. But the user agent is free to do whatever it wants with the content
once it gets the decryption key. I suppose servers could decline to give the
keys out to untrusted user agents.

~~~
dhx
It may be possible under the proposal but is distant from the intended or
anticipated uses.

This proposed extension appears to provide a means for distributing keys
between DRM chips/implementations (BD+/AACS/etc) and a remote license server.
The reason this is a HTML specification extension is that Netflix and Google
want to use <video> within HTML -- thus the browser environment must become
responsible for interfacing between the DRM implementation and license
providers.

Knowing the "keys" being transmitted is not useful because they'll be
encrypted using public key cryptography. A heavily protected/tamperproof[1]
DRM chip will have access to the actual keys required to decrypt the content.
This could take the form of a Trusted Platform Module (TPM) as part of the
widely criticised "Trusted Computing" initiative (is this one of the reasons
why Microsoft is involved with the proposal?).

Some of the motivations of pushing towards this heavily restricted and
inaccessible method of delivering content could include:

1) Ability to lock content to particular devices (iPhone users can access a TV
show 2 weeks before anyone else).

2) Taking control over the purchasing cycle of consumers by forcing constant
hardware upgrades.

3) Renting content for short durations of time under very specific conditions
and limitations.

4) Pricing content on a per-user basis (some users pay more than others for
the same content)

[1] Security Engineering, Edition 1, Chapter 14 by Ross Anderson -
<https://www.cl.cam.ac.uk/~rja14/Papers/SE-14.pdf>

~~~
alan_cx
"It may be possible under the proposal but is distant from the intended or
anticipated uses."

Always a scary sentence.

------
dave1010uk
Can anyone explain how this differs from HTTPS in terms of features and goals?

~~~
ldite
HTTPS is is fundamentally incompatible with caching proxies, CDNs, etc. This
scheme would (amongst other things) allow secure exchange of keys (and other
data, such as license) while distributing the bulk of the content via http.

This means that the heavy lifting of distributing video can be done by CDNs,
with the high-value keys/licenses going over secure links.

And there's more to this than just the transport encryption: it provides a
standard API for decryption modules in the client, so a browser doesn't have
to understand the details of every technology.

~~~
ldite
This means that if a provider such as Netflix wanted to, they could supply you
with (say) a USB crypto dongle that you would plug in to your PC, which could
then interact with your browser to authenticate you, and potentially even
decrypt content (or rotating media keys) on the fly. This is, I believe,
pretty much what a lot of cable access cards do.

------
vog
From the proposal's abstract:

 _No "DRM" is added to the HTML5 specification, and only simple clear key
decryption is required as a common baseline._

~~~
dhx
Please explain why the specification makes continued use of the word "license"
-- a word that has little meaning outside the context of Digital Restrictions
Management.

Why did they feel the need to use the word "license" and not just "key"?

------
ldite
Proposal includes a good FAQ section;

[http://dvcs.w3.org/hg/html-media/raw-file/tip/encrypted-
medi...](http://dvcs.w3.org/hg/html-media/raw-file/tip/encrypted-
media/encrypted-media.html#faq)

------
bwarp
How does this fit in with an open source model? Surely you can just extract
the keys/license without reverse engineering anything then?

It's daft.

~~~
rbanffy
Restricting what you can do with data doesn't fit well with open-source. If
you can read a stream and decode it to a screen or speaker, you'll also be
able to save it to a file. If you can't change the software to do whatever you
want it to (and download copy-protected streams is one thing you may want)
it's not open-source.

------
sanbor
One of W3C's primary goals is to make these benefits available to all people,
whatever their hardware, software, network infrastructure, native language,
culture, geographical location, or physical or mental ability.
<http://www.w3.org/Consortium/mission>

IMHO, it's against of those principles.

~~~
pslam
Indeed - this is the first thing I looked up. It's directly against the
Mission of the W3C to support proposals such as this. If people want this
feature, it is going to have to be a non-W3C standard.

I've been commenting against various forms of anti-web proposals such as this
for more than a decade. Every 3-4 years somebody proposes to accept RAND (non-
free) licensing terms. This time around it's non-free content distribution.
Let's hope the W3C remembers who they are, and what they're for, once again.

------
grep2
This proposal reminds me of the RFC specifying a security flag in the IPv4
header.

<http://www.ietf.org/rfc/rfc3514.txt>

~~~
rbanffy
Yes, but it was published a couple weeks too soon. Someone may take it
seriously.

------
AndrewDucker
Presumably this is to avoid the need for Flash for video streaming.

I believe the two main advantages of Flash over the Video tag are that Flash
can encrypt, and flash can do adaptive rate streaming - and adaptive rate
streaming is also going through the standards process at the moment.

~~~
ldite
An MPEG standard for adaptive streaming (DASH) has just been ratified:

[http://www.streamingmedia.com/Articles/ReadArticle.aspx?Arti...](http://www.streamingmedia.com/Articles/ReadArticle.aspx?ArticleID=79382)
<http://dashpg.com/?page_id=25>

Firefox and Chrome both seem to be working on implementing it:

<https://bugzilla.mozilla.org/show_bug.cgi?id=702122>
<https://code.google.com/p/chromium/issues/detail?id=109652>

------
dazbradbury
I'm glad this is being discussed. It's is an important proposal, and as long
as it's thought about carefully, will help move our web video service forward.

My experience recently is with Lovefilm, where they switched to silverlight
delivery of content citing "anti-piracy measures" [1]. If we want to move to a
www with HTML5 only video, an addition to the standard is required.

Whilst there will no doubt be people opposing any copy protection, I'm sure
many can cite examples where it's exclusion is hampering the web.

[1] - [http://blog.lovefilm.com/uncategorized/why-were-switching-
fr...](http://blog.lovefilm.com/uncategorized/why-were-switching-from-flash-
to-silverlight.html)

~~~
dhx
The proposal is an additional layer of cruft that doesn't assist copyright
holders in any way with protecting their content. Content protection should be
as simple as refusing the stream content to unauthenticated and unauthorised
clients. 1990's era HTTP specifications are perfectly acceptable (and widely
supported) means to accomplish this.

This proposal _is_ DRM in the sense that it makes it much harder for paying
legitimate users to access and control what they've purchased. It continues to
provide incentive for users to pirate content using far simpler and more
accessible channels.

~~~
VMG
> Content protection should be as simple as refusing the stream content to
> unauthenticated and unauthorised clients.

This is about _copy protection_. You can argue that that is practically
impossible to do, but this isn't about about client authorization.

~~~
etherealG
I would argue that the problem space reduces to the same thing. Once you hand
someone encrypted content along with a way to decode it, you've essentially
given them the content and have to trust that they won't copy it. You have no
way to protect the content from being copied if you have given out the secret
to decoding it.

~~~
andylei
you can logic all you want. the fact is, content providers want certain
implementations of DRM. if "web standards" do not allow for these
implementations, then they won't use those standards. you're not going to
convince content providers not to have DRM just because its not a web standard
- content providers never cared about web standards to begin with.

the question is whether you care more about the adoption of the standard or
the purity of that standard. if html5 doesn't include methods for DRM, then
hulu and netflix will continue to use proprietary extensions. how much do you
care about adoption? if only 50% of sites use it, is it still meaningfully a
standard?

~~~
morrow
I think the penalties associated with using plugins is simply the price DRM
advocates should have to pay. I don't think it's the job of the W3C to make it
easier on them to maintain this practice. The short-term gain of getting large
media players on-board is outweighed by the long-term prolonging of the life
of DRM and delaying the advancement of social norms and business practices for
media distribution, consumption and ownership.

Looking at the companies that control media today and trying to mold the
environment of the web so that they survive is exactly backwards. Instead, I
think the W3C should focus on creating the best environment for an open web
possible, and let the companies that exist now adapt to it or be replaced by
those who can.

------
bni
I guess Mozilla could implement this and still allow the user to save the .mp4
in Firefox.

For DRM to be "effective" you have to control the client and not allow
arbitrary implementations. Or what am I missing here?

~~~
dthunt
The DRM stack is outside the browser.

~~~
pgeorgi
How is that different from some binary-only browser plugin (with limited
availability on platforms that the DRM vendor doesn't want to support)?

All it does is giving credibility to DRM ("but the W3C has a standard for
that!")

------
surrealize
Hollywood tried to get a form of content control into over-the-air broadcasts;
they got a lot of pushback and ultimately failed. Now over-the-air broadcasts
are done entirely in the clear.

Requiring DRM for the web is ridiculous as long as the content is being
broadcast in the clear over-the-air.

Now it's up to us, the tech community, to push back against this attempt at
control. The broadcast situation shows definitively that DRM isn't an absolute
requirement for the content industry.

------
yason
It's funny that "unauthorised" copying of not freely available material has
value whereas "unauthorised" copying of freely available material has nearly
zero value (you could just copy/download the original).

So, effectively, by putting up DRM and copy protected content, they make up
themselves the whatever value "piracy" has.

------
realschool
This sort of thing has to happen, as great as the idea of media embedding in
HTML5 is there needs to be copy protection.

~~~
dchest
No, there's no need for copy "protection".

~~~
kennu
I think the "need" comes from the content owners, who refuse to license their
material to services that don't implement a form of DRM that they approve of.

It would of course be much easier if the content owners some day understood
that DRM solves absolutely nothing, only makes the UX worse, and the content
is still being copied freely out there, despite all the protection.

~~~
rmc
_I think the "need" comes from the content owners, who refuse to license their
material to services that don't implement a form of DRM that they approve of._

Poppycock.

If I were unwilling to come to work unless I was to get €1,000,000 per day and
the system wasn't set up to do that, then I would have to stay at home all
day. I would have no right to insist that just because I find the current
system unsuitable that it should be changed.

~~~
Silhouette
> If I were unwilling to come to work unless I was to get €1,000,000 per day
> and the system wasn't set up to do that, then I would have to stay at home
> all day. I would have no right to insist that just because I find the
> current system unsuitable that it should be changed.

And if you were unwilling to consume content unless you were to get it without
any technical measures to enforce the terms on which it is offered and the
system wasn't set up to do that, then you would just have to do without the
content. You would have no right to insist that just because you find their
current business model unsuitable that it should be changed.

