Hacker News new | past | comments | ask | show | jobs | submit login
Browsers' bid for relevance is turning them into time-bombs (thetech.com)
226 points by wallflower on July 9, 2016 | hide | past | web | favorite | 105 comments



> The browser ecosystem is weaker than it’s ever been

This kind of hyperbole undermines the whole argument. The browser ecosystem was weakest when Microsoft released IE6 and then decided to not update it for half a decade. Today, by comparison, we are living in a land of plenty.

Even on the DRM front, the situation was no better in the past when you had to use Flash or Silverlight for DRM. At least now there is a clean interface to just the video decryption without requiring a whole bloated proprietary plugin. I don't quite understand the ideological bent that EME corrupts an open standard, but the same result from NPAPI is somehow less objectionable?

If the hope is that by standards bodies rejecting DRM on principle they will somehow strong-arm Big Content, I can tell you unequivocally that it ain't gonna happen. Cory Doctorow has not spent the last 10 years building a feature film streaming service and negotiating with rightsholders, but I have. In fact I spent most of that time fighting against DRM on a UX basis and trying to find loopholes, which works for small distributors but not for the studios. The torrent crowd would have you believe it's because they're stupid, but Big Content is anything but stupid. They know that there is no such thing as guaranteed copy protection and that there will always be an analog loophole. The reason they insist on DRM is as a means of control. They just need enough roadblocks in front of casual piracy to prevent devaluation of their content. If they were unwilling to accept any piracy they wouldn't stream to PCs at all. Which, BTW, is exactly what would happen if we succeed in outlawing DRM on PCs. They would literally pull the content, and say if you want to watch go buy an Approved Device. Customers wouldn't bat an eye either, because people prefer to watch on a television anyway; cheap streaming boxes / smart TVs are the future, not general purpose web browsers.

Making a huge issue of EME is just asinine and belies a complete ignorance of the market forces at work here. The studios have all the power, browser makers do not have any leverage. And in any case, if rightsholders want to play a cat and mouse game with DRM that should be their prerogative, but customers should also have the freedom to circumvent those measures. Where we need to focus our lobbying efforts is against the DMCA and infinite Copyright extension which broadly impacts consumer rights and the public benefit.


I don't understand why people think the Web needs Hollywood's video content. Let them build proprietary set top boxes or whatever, who cares if it's not in a browser? It's certainly not important enough to undermine the Web's principles of openness, interoperability, free access to knowledge, etc.

As far as I see it, EME would only be a loss for the Web and browser makers like Mozilla; in a similar way to, for example, losing the ability to "view source" would be a loss.

I think the real threat is from commercial entities who want EME for entirely separate reasons, i.e. Apple, Microsoft and Google, who also just-so-happen to make browsers. They can embrace/extend/extinguish the Web, by building an encryption standard into their particular browsers which none of the countless others are able to do (Firefox, Konqueror, Dillo, Netsurf, W3M, Lynx, EWW, Elinks, etc.). EME seems like an attempt to preempt such a situation, but I don't see how it can do anything to prevent it.

This is a much worse situation than some set-top box scenario, since it will bleed users from all browsers to those few with EME+plugins, and the Web will become yet another Microsoft Office document format.


> I don't understand why people think the Web needs Hollywood's video content. Let them build proprietary set top boxes or whatever, who cares if it's not in a browser? It's certainly not important enough to undermine the Web's principles of openness, interoperability, free access to knowledge, etc. > As far as I see it, EME would only be a loss for the Web and browser makers like Mozilla; in a similar way to, for example, losing the ability to "view source" would be a loss.

The flaw in this line of reasoning is talking about it in the past tense and referring to “the Web” as if that's some central authority distinct from the browser manufacturers which can dictate terms. EME has already shipped in Chrome, Safari, Internet Explorer, Edge, Firefox, and Opera. The alternative was something like Apple, Google, and Microsoft hammering out an agreement privately and leaving Mozilla and possibly Opera out in the cold, stuck with either Flash or slowly bleeding users to a browser which offered a better experience.

Look at Netflix's support matrix now and notice how many people can now play movies without needing to install anything:

https://help.netflix.com/en/node/23742

You're going to have a really hard time convincing most people that this is worse than the previous security, stability, and performance disaster of using NPAPI plugins. The vast majority of users think it's a plus that they can just search, click, and play without having to use a separate device or player application — how are you going to convince them that this should not be allowed?

Note also that this does not prevent the use of view source on netflix.com – only access to the decrypted video stream – and should any of the extremely rare browsers which you listed (several of which don't even support images or video of any sort!) decide they too wanted to support it, there's at least a standard process.


From a simple usability perspective, definitely agree. I re-purposed a Dell Chromebook with Debian Jessie for my partner last weekend and the hardest thing (bearing in mind I had to delicately pop the case apart and remove a write protect screw to flash the BIOS) was getting streaming working for the on-demand stuff she likes to watch.

Netflix 'just worked' with Chrome but some French TV channels (looking at you M6!) are still stuck streaming Flash. Getting pipelight to work with Firefox took hours of fucking around and it still bombs on certain streams.

If we have to have DRM it's got to be preferable suffering it through an open standard rather than black boxes forced on us through shitty plugins riddled with security holes.


> Look at Netflix's support matrix

Looks terrible, there is no mention of Linux at all.


I get where that's coming from – I've run Linux since the mid-90s, along with other rarely supported systems like BeOS and OS/2 – but … how many people does this actually affect? Linux on the desktop remains a small minority and the percentage of Linux desktop users who are unwilling to use Chrome is even smaller.

Again, I don't love DRM but we need a reason for a significant number of people to care. We've had a couple decades for angry nerds ranting on the Internet to show results and it's hard to say that we've done anything. The one area where DRM was rolled back is music and that was a combination of widespread unencumbered CDs and, mostly, Steve Jobs scaring the music labels more than piracy.

We need a better approach to avoid repeating that cycle of failure again. Most people think Netflix is good – what's going to make them decide to cancel their subscription?


> We've had a couple decades for angry nerds ranting on the Internet to show results and it's hard to say that we've done anything.

I'd actually argue that we have. Sure, a lot of the mp3 stuff was Jobs, but I'd argue that the game was changed so that we can't do the same with mp3s. We downloaded mp3s, but we stream movies. Now, I think streaming is superior in many ways, and I'm not bashing it, but it did change the game.

Free software is becoming more and more common. Sure, it moves slower than proprietary software, but I'd argue that's a feature, not a bug. We now have MS open-sourcing a lot of stuff, and including bash in their stack. Apple is trying to become more open, and focus more on privacy. Linux is getting more games than ever.

I really view this new DRM scheme as a desperate attempt from a dying industry. And I do think eventually we'll look back, thinking it was absurd.


Linux might be a small (but rising) percentage. But the bigger point is that Linux is a free operating system. If Linux can't run web content, that means

1. You need to pay someone for an OS in order to view the web.

2. The OS market isn't open, someone else can't just make an OS that people will use, because it can't view the web.


You seem to be ignoring the fact that Chrome for Linux exists but even if it didn't, it seems liked you're trying to argue that other people should be compelled to support your operating system of choice, not to mention conflating a small percentage of content with “the web".

Was the OS market not open when Flash for Linux didn't exist? FreeBSD? TempleOS?

What percentage of content needs to use EME before you “can't view the web”? If everything else but Netflix works, is the web open or closed?

More to the point, what do you expect to accomplish here – is hyperbole going to convince people to use Linux, cancel their Netflix/Amazon/etc. subscription, etc? If not, I would again suggest finding an argument which will appeal to a non-trivial number of people. Why should they care enough to change their spending or contact their representatives?


> What percentage of content needs to use EME before you “can't view the web”? If everything else but Netflix works, is the web open or closed?

If the EME are part of the HTML5 standard, but in practice they require some proprietary blob to operate, then the web isn't completely open. It doesn't mean that it's completely closed. Whether that matters depends, I suppose, on whether you want to take a pragmatic or ideological stance.

> More to the point, what do you expect to accomplish here

Does a complaint have to be a call to action?

> If not, I would again suggest finding an argument which will appeal to a non-trivial number of people.

I don't think an argument, as such, will sway many people. If EME (or similar closed technologies) cause enough problems for enough people (for some definition of "enough"), that will change peoples' opinions. Things have to get really, really bad before most people will ask for change.


You already need to pay someone for a computer to view the web, and OS costs are bundled in as part of that.

The OS market wouldn't be open anyway, because it naturally forms a monopoly/oligopoly.


Netflix works great with Chrome on Linux.


This is why I canceled my subscription. Decidedly half assed support. I'm aware of pipelight, recent versions of chrome etc.


> Look at Netflix's support matrix now and notice how many people can now play movies without needing to install anything:

That support matrix seems to be "Windows or OSX". If you want to make an encryption standard which works on Windows and OSX, why not get Microsoft and Apple around a table to hammer out an OS service/library?

Sounds easier than getting Microsoft (IE/Edge), Apple (Safari), Google (Chrome), Mozilla and Opera around a table to do the same thing at the browser level.


I understand and sympathise with that argument, but View Source is already useless on most large sites due to extensive use of JS rendering and minification. Modern web sources aren't meant to be read by humans and it's really only one or two steps above being handed a compiled binary.

Also: Firefox is quite capable of following Apple, Microsoft and Google. The idea that MozCorp is not a Corp isn't right either.

So whilst "the web should not support rights management and voluntarily cede such content to other platforms" is a perfectly reasonable argument, I don't think the sanctity of View Source or Mozilla is a supporting point in favour.


Respectfully, all of your points regarding the triviality of view-source here are just wrong. Here's a test for you: go to a page and view-source; what do you see?

> View Source is already useless on most large sites

No it isn't. Web devs can easily read source on almost all sites all the time.

> Modern web sources aren't meant to be read by humans

Yes they are - that why we've got view-source.

> and it's really only one or two steps above being handed a compiled binary.

That's the point - it's NOT compiled binary.

The sanctity of View Source is exactly what's in question here, and I stand in the group that says "no" to closed-source web specifications.


"Yes they are - that why we've got view-source."

So, uhh, I tried to view-source on a gmail tab. A solid wall of code. There's nothing there meaningful, not like the web pages of 1999 used to be.

If you're telling me you can browse the wall of code on a site like gmail.com and learn new tips and tricks from it, well, pull the other one, it's got bells on.


oh come on, just use firebug or developer tools and the html tree tab: you have an entire inbrowser IDE for the webpage including even deminified JS


I personally agree that sites with obfuscated JS are hard to read, and are pushing boundaries close to binary. I also think, it's absurd to use that as an argument.

Some sites are pushing shitty, hard to read code, sure. But instead of allowing them to continue working against the spirit of the system, we should shame them, and use them as examples of what not to do. If a couple of bad politicians abuse their system, we don't say "fuck it. lets go back to a monarchy"


It's not "some" sites, it's nearly all.

Heck I picked the front page of BBC News and opened it up. Wall of minified JS. Further down the page we see something that vaguely resembles normal HTML except for stuff like this:

<div id=markets_index_promo class="hidden" data-comp-meta="{&quot;id&quot;:&quot;markets_index_promo&quot;,&quot;type&quot;:&quot;remote-portlet&quot;,&quot;handler&quot;:&quot;remotePortlet&quot;,&quot;deviceGroups&quot;:null,&quot;opts&quot;:{&quot;assetId&quot;:&quot;10263779&quot;,&quot;id&quot;:&quot;market_data\/markets_index_promo&quot;,&quot;loading_strategy&quot;:&quot;post_load&quot;,&quot;position_info&quot;:{&quot;instanceNo&quot;:1,&quot;positionInRegion&quot;:3,&quot;lastInRegion&quot;:false,&quot;lastOnPage&quot;:false,&quot;column&quot;:&quot;secondary_column&quot;}}}">


It's no longer practical to ship source JS, if it ever was. Filesize limitations and frameworks that require recompilation are a significant chunk of the magic of the modern web.


> Modern web sources aren't meant to be read by humans and it's really only one or two steps above being handed a compiled binary.

Modern web sources are also made by people out for money and/or marketing, who by now even seem to have forgotten about graceful degradation and other things that would slow them down.

You don't ask IKEA what the best wood for a solid table is, what means "best" for them has to do with money and the ability to produce in bulk, while a carpenter who worked with all sorts of wood and isn't bothered about those restraints as much will give you a completely different answer. That's kind of how the web became, because IKEA is making more money with selling tables than master carpenters, or even just because they occured later chronologically, because they are "more modern" (which says nothing about quality and only something about time), they are now somehow seen as experts on tables.


This is because the Web is no longer a document viewer; it's a VM. A true modern "view source" button would just take us to the github page.


Don't forget too that for all the arguments about obfuscated or complex JS today there have been many of the same arguments for as long as server side scripting has been in use, too. The web has long been more than just "simple documents" that are easily View Sourced. That's always been part of the Web's longevity and dominance versus stricter cousins like Gopher.

It's interesting that in some ways today's JS heavy client apps are more open than similar server side apps from even just a couple years ago: obfuscated code is still viewable client side and browsers are good at providing deminified views in browser dev tools, and if sourcemaps are left in then you can jump directly to the unobfuscated/deminified sources in browser dev tools. Plus, most communications between chunky JS apps and their servers increasingly use friendly REST protocols, which again is its own sort of win for discoverability and friendliness to an informed user poking around inside of how things work.


Incidentally, most of the pages on my site ( chriswarbo.net ) have a "view source" link which goes to the git source (not on GitHub though, since their service is proprietary)

:)


Because distributing boxes is orders of magnitude more expensive than distributing over the existing infrastructure (the internet).


> Even on the DRM front, the situation was no better in the past when you had to use Flash or Silverlight for DRM.

The situation was a lot better when you needed Flash or Silverlight, the browser was not broken by design. And you could run a browser without an encrypted bi-directional channel outside of the user's control. (Which incidentally is the argument with which I got the security section into the EME standard.)

On your argument, that content producers are not stupid. I am not claiming that, but their situation with or without DRM is exactly the same; anybody who wants the movie for free can easily find a torrent, anybody who wants a legal stream pays Netflix. The only reason for DRM is, that they want a answer when their shareholders ask what is done against piracy. That is basically the definition of bullshit, a technical standard with a sole non-technical purpose.

The reason free software is winning (Android has a Linux kernel, OS X is based on a BSD, Apache and Nginx run most of the web, etc.) is that the free software ecosystem is quite resistant against this kind of bullshit. Free software developer do what is technically right most of the time, while proprietary software developers have to deal with that kind of market forces all the time. And because of that, we get better software and at some point the market forces are such, that companies switch to the superior, that is the open, product.


> Free software developer do what is technically right most of the time, while proprietary software developers have to deal with that kind of market forces all the time.

I'm no fan of EME but you completely lost me there. GCC has been kept monolithic not for technical reasons, but for fear of modularization leading companies to close source their frontends[1]. This has come up again now that LLVM/Clang is gaining on GCC[2]

The decision to avoid a stable ABI or even API for Linux drivers is again driven by non-technical reasons[3] (Linus actually specifically says the reasons are non-technical).

Whether or not you agree with these reasons, I find it hard to call them any more "technical" than the reasons you ascribe to the "rights holders" (also am I the only one that thinks it's silly that the term these companies prefer to call themselves by feels a lot like "landlords"? Who as we all know are universally loved!).

As far as getting better software, it depends. A lot of free software projects end up just doing what the creators feel is interesting instead of things users actually want (cf. Linux on the desktop). I'm not faulting them for that (it's their project and time after all!) but it does sometimes leave users of free software out in the cold unless they have the skills and time to contribute the features themselves.

[1]: https://gcc.gnu.org/ml/gcc/2000-01/msg00572.html [2]: https://lwn.net/Articles/582242/ [3]: https://lwn.net/1999/0211/a/lt-binary.html


There will be some way to opt out of EME though, so the presence of the channel outside of user control isn't any different than with flash.

(Hopefully something better than running a fork, but that option is there.)


There may be a way for users to opt out.

I think EFF's point is that new browsers wouldn't be able to ship an EME feature without specific approval from the studios... at least that was my reading from previous articles here. I can't find the reference now.


In chrome you can disable it on the plugins page. I've done it. Lots of stuff doesn't play. So now I have a standby Windows 10 (spyware!) system to play Netflix/Hulu in Edge (don't hate me)


I would be surprised if Firefox and possible Chromium didn't have a feature flag for it.


I half checked before making my other comment and didn't find anything.

A second look reveals media.eme.enabled in Firefox, so it's already possible to turn it off.


This EME pref is also exposed in Firefox's settings UI (as a "Play DRM content" checkbox (about:preferences#content on Windows and OS X). There is more documentation on Mozilla's Support site here:

https://support.mozilla.org/en-US/kb/enable-drm


Since the EME video has to show up in HTML, there may be a way of an extension blocking it. If this is possible, I'd be surprised if it didn't end up as an option in uBlock Origin and friends.


>Making a huge issue of EME is just asinine and belies a complete ignorance of the market forces at work here.

I do like comments such as yours that highlight the influence of economics because that factor is almost always missing from naive commentaries about "github vs git" or "gmail vs mydomain.com" or "Facebook vs mydomain/Usenet/IPFS/etc".

However, Cory is actually emphasizing something else that you only mentioned at the end:

>, but customers should also have the freedom to circumvent those measures.

Yes, Cory is against DRM in general, but the particular essay is focused on the interaction of DMCA and DRM causing innocent people who analyze/research browsers to become defacto criminals. While the "market forces" aspect is part of the DRM push, it's not relevant to this particular essay.

The analogy would be Microsoft Steve Ballmer's assertion that the GPL "infects" other commercial software. (The "infection" is by design of course.) Therefore, many businesses deliberately avoid it. Cory doesn't want the criminal nature of DMCA to "infect" browsers which then allows content publishers like Disney to put browser researchers into jail.

Theoretically, the DRM and "reverse engineering is a crime" could be orthogonal issues, but the current USA law doesn't separate them. This is the nuance that pushes many to keep DRM out of browsers.

I don't know what the solution is. Maybe the community does something like FFMPEG distributions. The widely distributed binaries do not include patented code. However, hardcore devs can download sources of any patent-encumbered code (e.g. AAC codec) and build their own binaries for their private use. They just can't publicly redistribute it without threat of a lawsuit. It's possible to distribute 2 separate binary builds (firefox_drm & firefox_nodrm) but I'm guessing it would cause confusion. Most users would default to just downloading the DRM version "because it plays all the videos I want to see on the web." Then you're right back to Cory's argument about the criminalization "time bomb" infecting browsers.


> They know that there is no such thing as guaranteed copy protection and that there will always be an analog loophole.

And they surely know that one able person to circumvent the copy protection suffices.

> They just need enough roadblocks in front of casual piracy to prevent devaluation of their content.

Using DRM on the viewers is a devaluation of their content since I know people who would rather "pirate" instead of buy DRMed content even though they do have moral reservations against illegal copying.

Thus I can hardly imagine a better advocacy for priracy (ironically even from the side of the rightholders) than the rightholders insisting on DRM. Thus every "hardcore pirate" can say that say still have the better product and every fencesitter can warrant their piracy by soliloquizing that they really, really would buy the product but there is no product available without DRM.


An open DRM could theoretically be useful for things other than copyright protection. For example, you could display an on screen keyboard for password entry and guarantee that malware cannot create screen grabs. Having cryptographically secure peripherals could help improve security and privacy, but only if it is open.


The problem of course being that an Open DRM is a fanciful oxymoron. DRM requires keeping decryption secrets from the user while allowing them to decrypt; if the user knows the algorithm to how those secrets are kept then the user knows how to access those secrets.

It's certainly interesting to imagine what an Open DRM standard might look like. It's probably something more like a "blockchain" than existing DRM.


And it was always ridiculous to use the same key across millions of devices. Of course there is a huge security benefit in having unique keys that are inaccessible to possible attackers.


> At least now there is a clean interface to just the video decryption without requiring a whole bloated proprietary plugin.

Um, you're aware that the video decryption modules EME downloads are bloated proprietary plugins, right? There's no open standard to decrypt video, which is Doctorow's whole point.


You need to remember that the status quo was Flash. It's absurd to try to pretend that a sandboxed decryption module is remotely comparable to a runtime roughly comparable in complexity to the browser itself.

Yes, it's proprietary and non-free. Everyone knows that and we can debate the implications but there's absolutely no possible interpretation where that isn't a huge win for security and stability.


The content decryption modules (CDMs) do have limited access to the browser (basically: here is a stream of data, render into this viewport), but there is nothing in the spec that limits what the EME modules can do to the OS (and the Windows Widevine one, for example, integrates with "Protected Media Path" which is Ring 0 code).

Even the W3C is skeptical of the security of CDMs: https://www.w3.org/TR/encrypted-media/#cdm-security.


Yes, but that's not introducing additional risk because the user was going to install it anyway, assuming it isn't provided by the OS or something like Chrome. If you're using content restricted by Widevine, you're exposed to bugs there no matter whether it's accessed by a CDM, NPAPI plugin, or a standalone app. Until consumers stop paying for encumbered content that won't change.

My point was about what we're not exposed to: bugs in Flash/Silverlight or exposed OS features being used in unexpected ways. That's a huge amount of code with a history of exploits and almost none of it is necessary to play a video but it's still enabled and ready to attack.


I agree with your criticism that the browser ecosystem has improved from a past of idiosyncrasy and special plugins, but I wanted to mildly disagree with your strong prediction that if the browser became technically hostile to DRM, then content providers would refuse HTTP distribution and that the market would gladly go with custom streaming boxes.

Just because a DRM standard doesn't go through doesn't mean that it's any easier or harder for the majority of customers to illegitimately acquire content, and nor is it any easier or harder for a company to provide illegitimate content, especially in the centrally-hosted streaming form.

If you're saying that there's always a way to acquire content, since content must ultimately be decrypted on some legitimate system, then companies will continue to have the technical reach to efficiently acquire content. What stops them is legal censure and international trade deals, not a DRM standard.

What a DRM standard does do is make legitimate content experience more enjoyable for customers because now there are fewer plugins, which could also translate to security benefits.

At worse, we end up with a world like we have now, where content providers still do business with Netflix and Hulu, and companies use flash or some other plugin to secure their content, and people still have the same ease / difficulty of acquiring illegitimate content.


While I'm mostly in favour of EME, I'm sceptical that it wouldn't be possible to strong-arm big content into providing content without DRM. Digital music has transitioned to being sold DRM-free. TV is broadcast DRM-free and can be copied with widely available technology. BBC iPlayer recently launched a HTML5 beta which doesn't use encrypted media extensions. YouTube doesn't use EME for the music videos available on there.

As long as users can't right-click and select "save video" (not possible on any video using DASH) it will still be easier to torrent things.


> The torrent crowd would have you believe it's because they're stupid, but Big Content is anything but stupid. They know that there is no such thing as guaranteed copy protection and that there will always be an analog loophole. The reason they insist on DRM is as a means of control. They just need enough roadblocks in front of casual piracy to prevent devaluation of their content. If they were unwilling to accept any piracy they wouldn't stream to PCs at all.

If this is what they're trying to do, it seems pretty stupid to me? Casual piracy has not been enabled by casual pirates recording off their radio/TV since VCRs died. Casual piracy is enabled by determined attackers and a distribution network that lets them reach casual viewers.

But the DRM they seem to be pursuing is quite a few steps above macrovision's quaint protection, and threatens all kinds of new poisonous side effects. Reality does not seem to reflect this minimal effort theory.


I appreciate thus thoughtful reply. I think that big content us in fir a rude awakening, though. They don't have all the power. Go ask big news or big music how ignoring their customers changing demands has gone.


Isn't big music in the best shape ever right now?


The perception of studios having the balance of power is as damaging as the reality would be.

I don't own a tv. This is true of a growing section of the people I know. A majority of people I've asked consume greater than 75% of their Hollywood content through a steaming service. You have won that battle.

Today Hollywood's major leverage is not pulling content from the web (it simply can't) but from competing services. Netflix and Amazon recognise this which is why they are trying to become content producers.


"Which, BTW, is exactly what would happen if we succeeded in outlawing DRM on PCs."

"Customers wouldn't bat an eye either..."

So what's the problem then?

Customers come first, right?

If they are happy, then what's the problem?

Why force commercial content into the so-called "general purpose" web browser? The way you describe your negotiations I get the impression that scare tactics, e.g., piracy, are being used as leverage.

What are you hoping to achieve?

Also, it is interesting how you transitioned from DRM in a browser to "DRM on PCs". This is a much broader question.

Is the only purpose of a personal computer to run a web browser?

Is the only purpose of the internet "the web"?

Is the only use of a network to transfer commercial content?


If I can't watch the content on my device, I will just Google watch show name for free and get a direct link.

Studios have no power, they just think they have.


> I don't quite understand the ideological bent that EME corrupts an open standard, but the same result from NPAPI is somehow less objectionable?

The same result from NPAPI is the same objectionable. That's why NPAPI is deprecated.

There shouldn't be DRM in web browsers. Any DRM of any kind. If Hollywood then wants to only distribute movies via Comcast and not the web, let them. They'll lose a large revenue stream to spite themselves, smaller studios who use the web anyway will get a large uptick in viewers on mobile devices and PCs which will erode the big studios' power, Hollywood will get pressure from all sides to support the popular platforms anyway, and it doesn't even matter if they don't.

People aren't going to stop buying iPhones just because they can't watch certain feature length movies on the 6" screen.


If neither Samsung nor Apple are shipping a phone that can watch Netflix, one or the other has a huge incentive to be the one to sell a phone that does.

As for the viability of independent content. The last decade has been a damning indictment of that argument. Between high quality digital cameras and YouTube, it's never been easier to release independent content into the world. Yet, what rocketed YouTube to popularity? Being able to watch the Daily Show without paying. Same thing with games. With open source game engines and Steam, it's easier than ever to release independent games. Yet, companies like EA with borderline abusive customer practices are taking it in with Call of Duty 17.


And if neither Sony nor Paramount are showing movies to customers with iOS or Android devices, one or the other has a huge incentive to be the one to start, even if it means no DRM.

And there are a lot more little studios than there are browser or OS vendors, so there would certainly be movies available. Which would put pressure on more studios to make movies available, which would put pressure on the remaining studios to not abandon a proven revenue stream etc.

I'm also not sure how the argument that people will pirate Hollywood content rather than watch independent content on devices that don't support DRM is supposed to improve Hollywood's bargaining position. It's pretty much the pure distillation of the point that offering content without DRM will reduce piracy and increase revenue.

And "companies with abusive practices are very profitable" sounds like the argument for platform vendors restricting the abusive practices.


re: Cory Doctorow & DRM

I highly recommend watching his talk[1] month ago at the Internet Archive about fighting DRM. Unlike many previous talks, this time he focuses on supporting ourselves and our fellow engineers by taking bad options off the table before they become temptation. It's a lot harder to allow a "little" corruption of open standards if that kind of option is forbidden with a Ulysses pact.

[1] https://www.youtube.com/watch?v=zlN6wjeCJYk


> makes it a crime to circumvent an “effective means of access control” that sits between users and copyrighted works

US had always legal troubles with cryptography. In past programs like PGP, TrueCrypt etc were developed outside US. That can easily happen with browsers.


Huh? PGP was developed in, and published from, the US. Hence the criminal investigation.


It's was split off at version 2.6.3(i) into an "international version" that was exported by printing the source into several large books and scanning them in, and then further developed outside of the US. I believe most current PGP versions are descended from the international branch, but I could be wrong.


That sounds interesting. What was the point of printing source and scanning it back into computer? Did that bypass the export law back then?


http://www.pgpi.org/pgpi/project/scanning/

> However, the Export Regulations only covers software in electronic form (e.g. on disks, or via the Internet).


> some of the biggest tech corporations in the world today support EME

Not just support, Google and Microsoft invented it:

https://www.w3.org/TR/encrypted-media/

The best way to fight back against EME is to put pressure on those companies and their browsers.


This is the first time I've heard of EME. This caught my eye:

> Although some of the biggest tech corporations in the world today support EME, very few of them could have come into being if EME-style rules had been in place at their inception.

Why is that? It looks like EME is just about streaming video - how would this have prevented Apple/Google/Amazon etc from coming into being?


EME is an API to talk to a Content Decryption Module, I.e. a DRM system. EME is easy and free to implement, but entirely useless without a CDM. There is no specification for CDMs. If you want one, you need to license it from Adobe or some other Hollywood approved vendor (or become one your self by playing by their rules).

You cannot just implement the royalty free web standard specifications and expect the web to work. You also need some corporate agreements.

Arguably this isn't really worse than needing flash or silver light. But at the same time it looked like these were on their way out and that the battle for a 100% open standards web was being won. And Flash & friends could be installed by end users, while CDMs need to come bundled in the browser. Also, in web standards circles, flash and co were considered problems to be solved, while EME is presented as the solution.

So if you're a new browser vendor, and have an inovative (and legal) business model, either Hollywood likes it, or you will not be able to support the whole web.


Also, a must read about DRM, by hixie (main author of the HTML5 spec): https://plus.google.com/+IanHickson/posts/iPmatxBYuj2

If you've ever thought DRM made no sense at av the tech or crypto level, read that to see that you are right but focusing on the wrong aspect, and that strategically it makes perfect sense (and is even nastier).


> If you've ever thought DRM made no sense at av the tech or crypto level, read that to see that you are right but focusing on the wrong aspect, and that strategically it makes perfect sense (and is even nastier).

Everybody already knows that. But Hollywood can't actually admit to that because it's blatant cartoon villain-style robber baron behavior, so they keep insisting that the purpose of DRM is to "protect content" from "pirates." Which means we have to keep pointing out that it has never done that.

Their actual reason for pushing DRM is why we need to get rid of it.



Google wants to steal Web content by downloading (i.e. pirating) it, using automatic programs called "crawlers" which cause pages to be served but don't provide any revenue via ad views. That's theft, and it shouldn't be allowed.

They also want to use that content in unapproved ways, for example to extract keywords and links. They then serve this unlicensed information publically, with their own ads.

Thankfully, we can put a stop to such wholesale commercial piracy by encrypting our content using EME.

</sarcasm>


That's a really terrible analogy.

The web already has that kind of DRM and always did: robots.txt, enforced by social convention rather than encryption.

And yes some companies ban crawlers and try to get their content out of search engines for questionable reasons. More often, they try to strongarm Google so their content is still there, but they get paid for the privilege, which is not a reasonable approach and thus not supported by the robots.txt "DRM" protocol.


robots.txt is not DRM: it can be freely implemented by anyone without special knowledge – and ignoring it does not lead to a criminal investigation.


No proponent of the technology has ever claimed any of that in this context. A sarcasm tag doesn't automatically make it a useful comment.


I think what the parent comment really needs is the:

<sarcasm-against-strawman /> tag.


"EME-style rules" meaning similarly restrictive rules on the core browser functions of the time, not streaming video.


I understand the case that EME makes it more difficult to create a browser, but none of the biggest tech companies got their start by writing browsers.


Somewhat of a quip, but I suppose technically still true: Without the creation of new browsers, we'd still be in the Internet Explorer age, and we can all imagine how much potential revenue would have been lost for internet companies, if that was the case.


Perhaps it is building the backend that is considered to burdensome? A youtube competitor would need to serve DRMed video and thus be able to do EME.


No they wouldn't. YouTube doesn't use EME, at least for user-generated content.


The only issue I'm having with Cory's piece is, that it seems that there is a solution outside of politics. Even so I kinda know that he aware of that. Only politics can change the way copyright is working. Sadly in the last decades, it mostly listend to the copyright holders and transformed a limited monopoly right into a property.


playing the devil's advocate - without EME how would movie studios agree to letting you stream their movies on Netflix?


You're not the devil's advocate here. I remember talking about EME on here before and when it was being spec'd. The general attitude was, "I hate DRM! ...but then again, I DO like netflix!" It was pathetic to watch people sacrifice their principles just because they liked the convenience of netflix. Everyone who did that will regret it eventually.

20 years from now we'll all be reminiscing about the days when the web was still open. We'll kick ourselves for folding on this issue in just because we wanted to watch some throwaway movies on netflix.

Secondly, who cares whether netflix gets the rights to stream movies? That's their problem, not mine. Instead of finding a better solution, they make it everyone else's problem by pushing EME and shoehorning DRM into html.


"It was pathetic to watch people sacrifice their principles just because they liked the convenience of X."

You said a mouthful.

This is what the last 14 years look like in my rear-view. To be honest, I did get kicked off FB for being too old, my Ebay junky problem preceded this century and I did love playing euchre w/ my gramma on Excite. Then the dotcom refugees came back and those start-up search guys came & wrote in big letters on the wall(and plainly in the 1st paragraphs of their EULA). Of course, everybody eventually follows the easy money path and the privacy fleecing is thusly justified, "Everybody's doing it!".


>without EME how would movie studios agree to letting you stream their movies on Netflix?

They'll agree to it because they need the web to survive. Services like Netflix are the future of media distribution - physical media like DVDs and CDs are going extinct, and movie theaters are dying off. Mass media needs the web, but the web doesn't need mass media.

But is DRM really containing piracy? In most cases, no. What stops people from pirating content en masse is the existence of convenient, legal streaming services and the general disposition of most people to want to avoid breaking the law. People will tend to prefer legal services if they're convenient and inexpensive, even though piracy is free.

So, the pirates are still going to pirate, and DRM of any flavor likely isn't going to stop them. Copyright owners are going to have to put up with it because every distribution model other than streaming over the web will probably lose them even more money than piracy will in the long run.


The same way they do now: By making deals with Netflix. If they don't like Netflix, they can either make their own version of it, get a contract with a Netflix alternative, or just stop putting their movies online.

It's not like adding EME is suddenly going to allow anyone to do something that they've never done before.


Netflix has copy protection and yet movies are still all readily available on pirate sites. What difference does EME actually make to the movie studios' bottom line?


The answer you're looking for is here: https://plus.google.com/+IanHickson/posts/iPmatxBYuj2 (no, seriously)


The answer in link is already answered years ago. Publisher cannot stop piracy because it cannot control user device, because user has full access to device. So the only solution to problem is to gain full control over user device, which is impossible, because user device is in hands of user.


Except it's not impossible. Look at iphone and increasingly android. The device is locked down so hard that even the user doesn't have root access. Gaining root can be seen as a negative, borderline criminal thing and you lose warranty and repair service from the manufacturer. You also lose the ability to use some apps (Android pay, snapchat, etc.) just because you have root access.

The only ones with true root access are Apple and Samsung/Google.


Nearly 20 years old and more relevant than ever:

https://www.gnu.org/philosophy/right-to-read.html

More and more it feels like we are reinventing the mainframe/minicomp era.


That argument hasn't made them change their mind on copyprotection for decades. Why now?


DRM pushes people towards legit outlets, often because the pirate version is of lower quality, bound with malware, or arrives later than the legit version does. Stop seeing DRM as an unbreakable lock and start seeing it as a cost optimisation problem and you'll understand.q


DRM pushes people against legit outlets, often because legit version is of lower quality (e.g. HDCP), bound with malware (e.g. Sony rootkit), or arrives later or even never, because market too low to care about (e.g. Linux/BSD, or local markets of non-English speaking countries), that the pirated version does.


What malware? Piracy is a better product because it doesn't have DRM.


Shouldn't Netflix figure out how to solve that problem instead of the W3C?


Agree, I don't know much about Nflix, but shouldn't they be using their own native app?!


Without the broadcast flag how would networks agree to support HD? https://www.eff.org/deeplinks/2009/06/dtv-era-no-broadcast


Because the alternative is putlocker or watchmovies where they don't get a penny?


Without DRM how would movie studios agree to letting you watch their movies on TV?


Movies on TV are already paid for, and it's still illegal to copy and redistribute televised content in some cases (see:Aereo.)


Both of those points also apply to Netflix.


The bigger problem of web browsers is the standards really. There are many issues with them and the browsers need to maintain backwards compatibility.

Those standards are hacked together like javascript, underspecified, feature bloated and only subsets are supported.

And it's only getting worse. The SVG path grammar for instance will get even more complex in SVG2 even though many implementations for parsing it are buggy.


The web is fucking fine, you know what isn't fine? Email. Email is a fucking mess.


[flagged]


Please don't post comments that react to nothing but a title. Those aren't substantive.


And if we call the MAFFIA's bluf and strip video and audio from browsers, where it never should have been, and create a unified multimedia retrieval, queueing, and playback system?

1. No more fudging autoplay anything. Win.

2. Media interface can be DRMd (if you're a fool / slave to the boss) or free.

3. Instant DRM-free ecosystem.


I'm totally fine with this. Almost all the video I watch over the Internet is Youtube and Facebook. Let them both create native apps. The browser doesn't need to be able to stream video inside the page. You can always follow a video link and open it in an application of your choice. This is actually great.


I'm actually going one step further.

For _text_, tabs and such somewhat make sense.

For audio/video, they almost never do. I can _listen_ to one stream at a time. I might be able to watch 2-3, but only one's going to be getting any attention, the others are, say, monitored for intrest (something software should be able to do far better than I).

I've argued for some time[1] that "the browser" should be divided into about 4 distinct apps. It's already partway there.

1. Reading / commenting / research. Essentially _no_ remotely-imposed style. Support front/index, gallery, article, and discussion formats, possibly a few others, _whose rendering properties are defined locally_, by the user. Pocket, Readability (which appears all but dead), Instapaper, and Pinboard all fit this model. Arguably emacs as well.

2. An app framework. This is where Chrome is headed, possibly Firefox too.

3. A dedicated commerce app. Privacy, security, feedback, etc., within it. We've got a few candidates in iTunes / Apple Store, Google Play, and Amazon Store. I'd prefer an open version, not sure we'll see it.

4. A multimedia app. Podcasts, streams, and media downloads, with scheduling, queue management, high-level and consistent playback controls (fast/slow, fwd/back, skip), etc. The idea being that only one damned item at a time would be played, and you could control your media from one damned place.

I've been exceptionally dissatisfied with the State of the Web since ~2009.

_______________________________

Notes:

1. https://www.reddit.com/r/dredmorbius/comments/256lxu/tabbed_...




Registration is open for Startup School 2019. Classes start July 22nd.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: