Hacker News new | past | comments | ask | show | jobs | submit login
YouTube-dl's repository has been restored (github.blog)
2636 points by fusl on Nov 16, 2020 | hide | past | favorite | 658 comments

It seems like EFF fought for youtube-dl and GitHub used their letter as legal firepower to bring the repo back online. If GitHub were fighting for the developer they would have funded the attorney, right? Though from their blog post it does look like they are taking steps to fund defense in the future as well as other steps to improve the situation.

Reading EFFs claim is pretty interesting, they state that saving a copy of a video is only one function of youtube-dl. I think the biggest problem is the name is called "youtube download", it is sort of difficult to downplay that saving a copy is only one function when the name implies it is the main purpose of the program.

AFAIU the argument is more that youtube-dl is effectively a web browser and doesn’t do anything that a web browser doesn’t do. Further, it does not include any “secret” key for DRM circumvention like might be bundled with e.g. Chrome in the case of Widevine, where browser vendors agree to protect the secret key.

that's how understood it as well:

"youtube-dl stands in place of a Web browser and performs a similar function with respect to user-uploaded videos. Importantly, youtube-dl does not decrypt video streams that are encrypted with commercial DRM technologies, such as Widevine, that are used by subscription video sites, such as Netflix."

"We presume that this “signature” code is what RIAA refers to as a “rolling cipher,” although YouTube’s JavaScript code does not contain this phrase. Regardless of what this mechanism is called, youtube-dl does not “circumvent” it as that term is defined in Section 1201(a) of the Digital Millennium Copyright Act, because YouTube provides the means of accessing these video streams to anyone who requests them. As federal appeals court recently ruled, one does not “circumvent” an access control by using a publicly available password. Circumvention is limited to actions that “descramble, decrypt, avoid, bypass, remove, deactivate or impair a technological measure,” without the authority of the copyright owner."

I wonder where the phrase “rolling cipher” actually comes from. Did the RIAA just make it up?

The (English) phrase is used verbatim in the (German) 2017 LG Hamburg claim and verdict. It is not explained there, nor did the claimant explain where they got it from. I’m assuming that it’s based on a misunderstanding of “rolling codes” [1], an actual cryptographic technique, which isn’t applied here (the only overlap is that the “s” parameter of the YouTube video URI varies for certain videos; and, well, the key in rolling codes also varies).

Interestingly that verdict also claims that URL encoding is a valid, effective encryption measure (I’m not kidding! See [2]; the German word here is “Prozentcodierung”, i.e. percent-encoding).

The court in question (LG Hamburg) is infamous in Germany for its technically illiterate, consistently laughable verdicts in IT-related cases (this isn’t a recent thing — it’s been going on for about two decades).

[1] https://en.wikipedia.org/wiki/Rolling_code [2] http://www.rechtsprechung-hamburg.de/jportal/portal/page/bsh...

I would be curious if YouTube's code contained any phrases at all considering it gets minified.

Me too and it would be interesting if such phrases would be valid if not human readable.

Right, but the law makes no mention of secret keys, it just says you can't go around anything that controls access to a copyright work; and you can't provide tools to do so. The actual legal definition of tools covers both actual technical purpose as well as marketed purpose. Rebranding, say, OBS as "Recorder for YouTube" and talking about how you can use it to get around YouTube's downloading protections by screencapping the entire video would possibly constitute a 1201 violation.

There's also another question of law, though: does 1201 apply when only the intent of the DRM has been circumvented, as opposed to it's technical scope? In other words, does pointing a camera at a monitor constitute circumvention of DRM under section 1201? Most DRM can't actually validate, say, that a human is watching instead of a camcorder. (Let's ignore pesky things like Cinavia which are more akin to post-piracy frustration techniques, and easily circumvented with any kind of Free media player.) Likewise, YouTube's rolling cipher can't really validate that it's not sitting inside of an instrumented browser that will dump whatever URLs it grabs. Our hypothetical OBS rebrand wouldn't actually be a 1201 violation unless the law specifically covers things that DRM can't technically enforce but would like to.

The rebuttal to your reasoning is in the letter. Basically a federal judge has previously ruled that utilizing a publicly available password is not circumvention of a copyright protection mechanism. The code containing the "sig" (as google calls it) or "rolling cipher" (as RIAA calls it) is available to anyone by viewing the JavaScript. This sig / cipher being public means it is not a copyright protection mechanism.

The detail of the “publicly available password” case [1] is quite interesting. It’s not directly analogous to the YouTube system, but as the EFF points out, the RIAA’s reliance on German law has its own problems.

> When Petrolink learned that one of its largest customers, EOG Resources, might switch over to Digidrill’s visualization service, Petrolink took action. Instead of paying Digidrill for access to the corrected drilling data via LiveLog, Petrolink obtained a laptop running DataLogger – along with the corresponding USB security dongle – and then, after realizing DataLogger used an open source Firebird database, managed to gain access to the database by using Firebird's default administrator username and password. Armed with this access, Petrolink developed a program named “RIG WITSML” (dubbed “the scraper” or “the hack”) that could be installed on an MWD company’s computer running DataLogger in order to – in real time – query corrected drilling data from the DataLogger database and transfer that information to PetroVault for visualization. Petrolink then began installing this RIG WITSML program on MWD computers running DataLogger at more than 300 well sites.

[1] https://www.courtlistener.com/opinion/4765801/digital-drilli...

> This sig / cipher being public means it is not a copyright protection mechanism.

I can see this as ending up with Youtube being forced to require sign-ins. Massive expense for Google. Then Youtube-dl adds one parameter for the password, and we're back to square one.

Youtube wasn't behind the DMCA takedown, though. Do they even care about youtube-dl?

Google quickly kills any iOS/Android app that offers offline playback functionality for YouTube, so I can't imagine they love youtube-dl. They probably only haven't made a stink because it might attract more attention to a tool primarily only known about in techhead circles.

I think the difference is that offline playback and background playback on iOS/Android can be unlocked through YouTube Premium so those apps directly interfere with YouTube's bottom line. YouTube-dl I don't really see as directly competing with that because it's not trivial to download a YouTube video from it to your phone.

You can use Firefox mobile and the "Video Background Play Fix" addon to disable the browser APIs that allow the background play blocking antifeature.

Alternatively, the NewPipe app available on F-Droid can be used to both play videos in the background and download them.

And given how unlikely people are in the wider non-technical audience to god-forbid, run a command line program, I guess they really just don't care.

They do take easily accessible apps that use youtube-dl under the hood pretty seriously. I guess it depends on how much of an effort it is for them vs how much of their bottom line ytdl is cutting into.

> Do they [YouTube/Google] even care about youtube-dl?

A downloaded video doesn't generate ad revenue.

Yes it does. I go to the page (ad), copy the URL, and youtube-dl.

More critically, Youtube relies on network effects and people using it. Part of the reason we share family videos, educational content, and other things is so it's, well, shared. For me, the reasons to use Youtube-dl are:

1) People in bandwidth-constrained settings. If I post my videos, and colleagues in some countries can't watch them, I'm going elsewhere.

2) Remixing. If I can't make collages of family videos, I'm going elsewhere.

Youtube can serve masters like me, where it's an effective platform for sharing videos I want people to watch, and where the goal is dissemination. It can serve masters like the RIAA and the MPAA, where the goal is monetization and control. It will have a hard time serving both.

I suspect if it tries, people like me will go to someone who caters to us. A YouYesYouNoNotTheRIAAYesYOUTube. If we do, I think there will be enough of a network to start to syphon people off, and eventually, cat videos and Aunt Alice will be on YYYNNTRYYT.com, while corporate video will be on DRMed Youtube.

At that point, we'll have a replay.

>I go to the page (ad), copy the URL, and youtube-dl.

Youtube-dl has an integrated search function, so you actually don't have to open the video in a browser at all.

That's secondary to the rest of your comment, but I thought it was worth noting.

Perhaps more importantly, the number of people using youtube-dl because it allows you to watch videos without ads almost certainly pales in comparison to the number of people just using adblockers. Youtube-dl makes you wait.

there is no waiting when youtube-dl is used from mpv or similar.

Downloaded videos often get remixed into other videos that generate ad revenue. Commentary, reaction videos and compilations are substantial parts of youtube.

i often watch youtube videos from mpv exactly to get away from those distractions.

How many people downloaded Shake It Off with youtube-dl vs. the people who watched it from the official YouTube app or stock Google Chrome? youtube-dl does not nearly threaten their revenue in any tangible way.

Yes, but is there any indication that they work against youtube-dl in some specific way? Adversarial actions like changing youtube to render youtube-dl non-functional?

Youtube has to listen to the RIAA's demands because music and music videos are a huge portion of their traffic. The music industry could decide to move all that to Spotify if they chose.

Yea ha ha.

They took that poison pill already, I really, really doubt they ever new pop music stops being part of youtube in the future, the audience is too large. It would be like them taking music off of the radio because people could record it on reel-to-reels. They might stomp around a bit and try to use the law to get what they want, but when push comes to shove the big labels will keep their music on youtube.

The RIAA/NARM/etc. needs YouTube WAY more than vice-versa.

No they cannot. Music videos that aren't on Youtube don't generate much in the way of traffic anywhere else. Artists have tried it and failed.

They absolutely need eachother and can't afford to be nasty to eachother.

I am not that afraid that google would require sign-ins for everything. Even google with its massive market dominance should be pretty scared of given such a clear opening for a competitor, and being accessible without a login is a huge feature in order to get market share quickly compared to a competitor that does not.

Not to mention, all that ad revenue.

People will literally just give up and straight up do something else if content is behind a auth-wall.

You already have to sign in to view some videos, don’t you? Does YT-dL not have a way to handle those right now?

It does, but it's broken.


The developers are not responding to the issue, and from what I understand it is borderline impossible to fix, because there is an entire security team behind the Google login protection. The only workaround is to login with a browser and copy the cookies from it to youtube-dl.

> The only workaround is to login with a browser and copy the cookies from it to youtube-dl.

That's really easy to do with postman.

"Postman" seems like a pretty generic name.

Looking quickly online, maybe you're meaning this one?


I'm pretty sure that is what they mean, yes. It is a nice tool. Lets you write HTTP(S) templates with parameters and whatnot, save them in groups, send them, handle the response, etc.

Funny. I initially read that as “The Postman” - kind of like “The Batman.”

And your response is regarding whether it should be referred to in the definite article.


It just works. Every time. It’s gotta be one of the most unappreciated tools out there right now.

Why not simply create a youtube-login command that does nothing but launch an electron instance that lets you login into youtube and then returns the cookie?

youtube-dl could then call that command to obtain the cookie.

There’s a good chance that behavior would result in a CAPTCHA.

The idea, I think, is that it literally launches a browser to let a human do the whole thing.

You can automate fetching Chrome’s cookies. This is generally very useful for scraping.

https://github.com/blackjack4494/yt-dlc is maintained by someone who responds to issues.

Do you? I've never tried to watch any that have required it.

Maybe there's Red-only content that isn't advertised/recommended to non-subscribers?

Content with a certain age threshold triggers login. The last time I looked at this, embedding these videos was still possible without logging in. So there are definitely ways in accessing the content without authentication.

Hm. If embedding works maybe my ad-blocking is sufficient; or I just haven't come across any that require it. I mostly just watch woodworkers/machinists/electronics/etc. Sort of conceivable it could be age restricted but would also be surprising.

There's also members-only content on some channels that requires a paid subscription to access.

It's already there, you can authenticate using a cookie file if you want.

Or they just start to use Wildvine protection for their videos

i am already getting a "please log in" nag screen almost every time i open a video link (i block all cookies from youtube).

What is considered publicly available?

I suppose right clicking and selecting view source is ok, but reverse engineering a code out of a hardware chip isn't?

Because any kind of DRM basically has a key in the possession of the user. There are just different levels of difficulty to read that key.

as well as marketed purpose

Yes, it would be problematic if, for example, Samsung was marketing their latest flagship as "Our dark-light technology means you can take nearly pixel-perfect video of movies while you watch them in the movie theatre!"

> Likewise, YouTube's rolling cipher can't really validate that it's not sitting inside of an instrumented browser that will dump whatever URLs it grabs.

What is the criteria for differentiating between youtube-dl and a "browser"?

In this case a “browser” is a YouTube client that copyright holders are happy with, because it doesn’t provide any simple way of saving offline copies.

I agree. But that's not a viable legal definition.

There are exceptions. Access for the disabled is one of them and youtube-dl can very much be the basis for an accessibility tool.

Just re-upload it and change the readme to define "youtube-dl" and "Youtube Digital Library"

I called this a couple of times[1][2] so it is nice to finally see someone else make this argument. It seems obvious to me.

[1]: https://news.ycombinator.com/item?id=25006577

[2]: https://news.ycombinator.com/item?id=24997072

If a program had its own implementation of widevine, why wouldn't you also be "effectively a web browser" ?

Sure, it would be "effectively a web browser". But it would also require a secret key. If the program is not licensed to hold the key, that could be considered circumvention.

Other browsers have the key, why would this one be different ?

Because they have a license.

So if a program used a licensed browser as an intermediary to obtain Widevine-protected content, would that be circumvention?

I even sidestepped the obvious of loading widevine.so, running it, symbolic execution, etc. It's mostly a thought experiment to show how everything is stupid in the end.

I'm afraid in a few months/years, we'll see the hardware security level to become mandatory for Netflix, etc. And then YouTube.

In the old days, someone who wanted to send you this kind of content would build and sell hardware for you to receive and play it (like a DVD player).

Online streaming services have, in part, scaled so quickly because they run on the general-purpose computers that people already own. So they don't need to bear that hardware cost. These general purpose computers have been fertile soil to grow and nurture the seeds that software companies scatter to the winds.

How interesting it would be if it comes full circle with specialized hardware being required on each PC to receive the content stream.

That kind of "pull the ladder up behind you" strategy would be a natural thing for today dominants players to try. They benefited from an open playing field, but now they no longer need it. If they succeed, they have established a massive moat to stave off competition. If they manage to get it into standards and legislation, then undoing it would require a tectonic shift. Google is especially well positioned for this - Chrome, Google Search, Android and Youtube being potentially very effective places to do DRM media gatekeeping. "don't be evil" had to go from their mission statement. Maybe "universally accessible" will be next...

The way they do it is to bake DRM mechanisms into platforms. Intel ME, AMD PSP, Apple T2 chip/SE, those secondary computers bear the DRM hardware features, so end product manufacturers don’t have to handle it.

It's still going to be hardware everyone already owns, just with specific features. It's not a separate purchase of a dvd player, you're buying a phone that has the licensing chip built in

And HDCP is already a thing for authenticating screens.

Loading widevine.so (extracted from a ChromeOS image) and running it is exactly how Kodi reproduces DRM-protected videos.

Isn't the Widevine password essentially public as it is distributed to the client where it was extracted? Or was the Widevine key somehow stolen from Google's private repository?

There are multiple widevine keys, some are in CPU memory (shipped with the client software), some are in trusted enclaves on devices. Some of the trusted enclave keys have been dumped from hardware (nexus 6 for one, iirc) and eventually those keys were revoked or downgraded

IMHO, if it is on the client, it is public.

I wonder if the RIAA will now be putting pressure on YouTube to use the same DRM as Netflix, so that when a video is downloaded they can’t use this ‘it’s just a browser guv’ defence because there would then have to be some circumvention to make it work.

That's a DMCA argument (I'm not hacking).

But it doesn't really work: If you protect your house with no lock, not even a door, but just a little rope with a sign on: "Do not jump over or duck under this ribbon, or cut it!", that's, for the DMCA, enough - so you get into fun games where you claim that, say, a long random unique key that is right there in the HTML youtube.com serves which links to the video is a 'security measure' and that 'I shall read the URLs in this <video> tag and download what I find there instead of showing it on the screen' is 'circumventing this'.

How far can you stretch the meaning of 'circumventing access-control measures' before, in court, you lose your argument? I don't think anybody quite knows yet, but surely github doesn't want to be on the hook for it without microsoft's legal team and management signing off on the risk.

Furthermore, separate from DMCA's hacking provisions, there is simply the concept of who is responsible for any copyright infringement caused by stuff github hosts. As per 17 USC §512 (the so-called 'safe harbor provision'), the idea of claiming 'hey I just host this stuff, I'm not responsible for this, why dont you take it up with whomever uploaded this' is codified: You can do that, but it does mean that you _MUST_ take down the content in response to a takedown notice, and if you don't, then you are now liable any infringement that content makes.

The idea is that the owner of the data files a counterclaim notice, at which point the hoster (github) is free to re-host everything without opening itself up to liability, but only if, as per 17 USC §512, they do so 'no less than 10 days and no more than 14', and github did it in 1 day, so whoopsie there I guess.

At that point it does turn into a fight between claimer and counterclaimer: The idea behind those 10 days is that the supposed real content owner can then go file in court against the counterclaimer; merely filing a lawsuit is enough: Show that to the hoster (github), and they can no longer re-enable the content without then being liable for infringement by doing so.

You can't file a counterclaim until your content is removed.

Yeah, that means an utter bozo can take your content down for at least 10 days and there is nothing you can do about this. The DMCA is not particularly well designed in this manner (it doesn't protect against trolly crud well, and getting a barratry verdict in the US is borderline impossible). But that's how it works.

In github's shoes, the fact that youtube-dl doesn't infringe is relevant only insofar that they are willing to ride that notion allllll the way to the gavel in the ensuing court case, because they will be defendants if they ignore the takedown request. Presumably they weren't going to just do that without at least a close look by microsoft's legal team, and a signoff from the big wigs for the likely millions this will cost, given that US law in these matters is... well, have you ever seen one of those shows where 2 people are on a beam and trying to knock the other one off with a giant q-tip? US law is like that, except the ends of the q-tips are moneybags.

> "Do not jump over or duck under this ribbon, or cut it!", that's, for the DMCA, enough - so you get into fun games where you claim that

No. There must be an effective technological measure (objectively, according to the state of the art); see https://www.law.cornell.edu/uscode/text/17/1201 (a)(1)(A): No person shall circumvent a technological measure that effectively controls access to a work protected under this title.

This law article is utterly hilarious and self-contradictory. No-one should be able to circumvent "a technological measure that effectively controls access", by definition. If someone does circumvent a measure intended to control access, this proves that the measure was not, in fact, effective, thereby rendering the entire article inconsequential.

The lock at your door is also assumed to effectively control who can open it, but as we know keys can be dupplicated. However, it is not possible to copy it without access to your original key and the necessary effort. This is sufficient for the legislator. It would be different if you hung your key on the outside of the door a priori, like Youtube does.

It's possible to duplicate your key from the lock.

You need access to the key hole, a blank, and a file. The lock leaves scratches on the blank until it's been file down to the right spot

Ok, obvously I have too little experience in picking locks; or maybe you have different locks than we in Switzerland.

GP was speaking metaphorically, following your (GGP's) metaphor. For some reason, you abandoned the metaphoric level and misunderstood this to be about real keys and locks.

For many and most physical keyed locks, you can decode the lock with special picks or impressioning tools. It can be pretty time and skill intensive though.

I don't believe that Github actually needed the EFF's writing for this, or that they don't have the necessary technical expertise themselves. That is probably rather a protective assertion not to lose face. But at least they seem to have learned something from it now and want to review such requests technically before they (unjustifiably) act.

Github links to the EFF letter [0] in the DMCA repo.

This letter spells out in clear, convincing and explicit detail why the RIAA was wrong.

Profit-making Github and Microsoft could have performed this analysis and championed developers themselves, but it was the non-profit EFF that actually did the work.

EFF deserves more credit than just a link for fighting against this shit.

[0] https://github.com/github/dmca/blob/master/2020/11/2020-11-1...

The EFF is probably more qualified to respond to this, actually, since they have some of the most experienced lawyers there are when it comes to defending fair-use/free-as-in-freedom works from malicious DMCA notices. Microsoft's best play is just paying them, which other comments indicate they are doing.

The EFF isn't just some non-profit, it's the premier legal entity defending internet freedom. This is squarely in their wheelhouse.

> since they have some of the most experienced lawyers there are when it comes to defending fair-use/free-as-in-freedom

And why would one assume that Github or MS do not have such experts? They undoubtedly have the technical know-how, and the primary findings in the letter are of a technical nature, or even obvious to technically savvy people. And the court decisions referred to are not about fair use or free-as-in-freedom.

Because Microsoft's goals are not directly aligned with fighting DMCA and similar legislation. It takes more than being technically savvy to fight legislation like this; actually, I would say being technically savvy but not experienced will leave you in an unfortunate spot because you'll see through all the copyright stuff but be unable to effectively fight it in court.

The question was rhetoric. They have huge legal departments all over the world. Copyright, licensing and patent contract law are among the most important areas for these companies.

Yes, I've read it. That's why I came to my conclusion. Btw. nearly all of the facts in the referenced letter were expressed in HN discussions just a few hours after the takedown. From my point of view they were obvious.

I agree that they were obvious and, as you say, the HN conversations show that they occurred to many technologists. That said, I think there is an argument to say that the EFF was better qualified to write the letter. The reason being that MSFT wants to look like an impartial content host (to avoid being liable) and the EFF is explicitly an advocacy group. If MSFT advocates for content on that platform, it could be portrayed as a conflict of interest by the RIAA lawyers. I completely understand the optics of EFF doing the heavy lifting on this one.

> If MSFT advocates for content on that platform, it could be portrayed as a conflict of interest by the RIAA lawyers

Well, that's what they are actually doing now; factually, it does not matter whether there was a letter by EFF or not; they should have come to the same conclusion even without the EFF; moreover, Github/MS are not accountable to the RIAA; conflicts of interest are not an issue here; in fact, to meet the due diligence a hoster would have to check whether a DMCA request meets the formal requirements and is well substantiated, otherwise the hoster could even be liable to pay damages to the unjustifiably blocked project.

This. Github is acting like the knight in shining armor, but they really didn't do anything except respond to the backlash their complicit no-questions-asked removal caused.

On the contrary, they’re doing a lot, including establishing a $1M legal defense fund for developers and a technical team to review the validity of anti-circumvention DMCA notices. It seems like they’re doing a lot more than just paying lip service to EFF / developer freedom, and they should be commended for it.

They’re correcting a wrong because their reputation took a big hit in the dev community. Now there’s big talk of the dangers of not self-hosting your repo and the monoculture of using GitHub.

Although it probably has good intent, this is largely PR.

Or they just panicked with the RIAA request and needed time to regroup. Cynicism doesn't have to be a hobby.

Being a rube isn't a great hobby either, that's why "fool me once ..." is a famous saying. As are the various versions of "who benefits?".

Pretty decent rules of thumb.

And at a higher level ... who cares if they did it maliciously or because they "panicked", you can't ever know that anyway and either one means you can predict what they will do in similar situations.

This isn't the first frivolous DMCA request GitHub complied with. A company owned by one of the largest tech companies in the world doesn't need to "panic" about something like this.

Sounds like cynicism is your hobby, buddy.

That's not what cynicism means.

Even if largely PR, that's still a million dollars.

After Nat's cynically duplicitous comments and actions, it's hard to view this as anything other than PR. A $1 million expense is not a big advertising expense for github. It was a $7.5 billion sale. Microsoft spend 0.013% of that on this PR piece.

I can't imagine the fallout from this didn't wipe several times that off of github's valuation.

If github had done this before the EFF letter, it would have been something else. With the EFF letter, they have zero liability to reinstating the repo, and are borderline legally required to do so.

We should still incentivize correcting wrongs over letting them stand.

Open question to HackerNews: are there big tech firms that give lobbying money to free software lobbyists?

Feel free to highlight them here.

I'd rather cut this problem off at the head than sit around and establish legal defense funds if possible. I'm glad GitHub and Microsoft could help contribute to this victory though.

> I'd rather cut this problem off at the head

I don't understand what you mean by this! I know it's an expression or a way of saying something, but I don't understand what you mean

"Removing outdated or poorly written laws by paying off Congress is more effective than funding lawyers to litigate their misuse on a case by case basis forever"

I'm guessing RIAA's lobbyists are more powerful than an EFF lobbyist. By powerful, I mean have deeper pockets.

We need stop the existence of mafia like extortion rackets that claim they protect artists but in fact they line their own pockets and pockets of the labels and at the same time artists can't afford to even eat well.

Now that musicians make proportionally more from live shows (the recorded music is just the advertisement for the the show), the idea that anti-piracy is for the artists themselves is even more preposterous.

UBI + no anti-piracy would clearly be a huge improvement for the vast majority of artists and art itself. Let's just do that.

Not all artists can do shows - e.g. disabled, but I believe true fans will buy a record. I wouldn't like someone like RIAA to pressure someone into paying just because they downloaded my song to check it out (and I wouldn't see the money anyway). These days we have great technology and companies like Spotify can pay artists directly. Labels these days can only provide financing (on mafia like terms) and influence gate keepers, but this is also changing. You can totally make a commercial grade record on your own without label involvement, same with videos, merch etc. and even gigs.

They are suggesting lobbying to change the law, rather than struggling with current law in court.

Don't lobby. go to your local caucus and change it from within. Note that I said Caucus: even in a primary state there is some form of caucus where the party decides things. You want to be in this system, this is where the party platform is decided on. This is where the people who are working behind the scene to elect someone make the plans. In turn this is where politicians go to find people who will work for them. Which in turn means this is where you can have a one-on-one meeting from the standpoint of someone important to listen to. (when you spend a few Saturdays knocking on potential voters doors for someone that someone listens to you)

If both parties get anti-DRM legislation into the platform in random places you can be assured they will listen. If both parties see their big supporters as against something they will listen. Politicians do not want money, contrary to what you might think: they want a power, and in this country that means they need votes. Money (for ads) is one way to get votes, but real humans doing real work is at least as powerful.

This sounds hopelessly naive. At the risk of starting a political flamewar, it’s really not possible for any individual to effect large scale change to policymaking beyond the hyper local level. It’s especially impossible to go against massive lobbying interests like the RIAA.

You alone yes. However if everyone reading this works at the problem...

Could you imagine getting HN to agree on what the definition of Open Source is?

If someone wants to do that bit I'd say go ahead. Don't tell people not to pursue lobbying though.

After the last four years I have now blocked all social media and all american news sources in my house with the expressed intent of not hearing a word about politics, news, etc... It has taken a massive toll on how I feel day to day, I found my personal relationships waning, and made me feel uncomfortable meeting new people. I'd rather pay someone to involve themselves with this kind of world, not be involved in it myself.

You start of saying don't lobby and then suggest a course of action that is lobbying.

Lobbying is not the same thing as campaign fundraising

The meaning is to deal with a problem before it grows worse. There are a lot of variances to the expression, 'cutting it off at the head' 'Nip it in the bud' 'Cutting the problem at it's roots' They're all references to killing something before it grows more difficult to deal with.

Nipping in the bud is preventing a problem from getting worse.

Cutting the head off the snake is about removing the point of control from an organisation.

Thank you for correction.

I feel like the problem is already fully-realised in this case, so you can't "nip it at the bud" but have to stop the full-form yes? That goes along with "cutting it off at the head" moreso in my opinion.

"cut he/she/it/them off at the pass"

Pretty sure Google is ensuring employees to give money to EFF.

They should use the power of Chrome to discourage the use of DRM on the web instead.

I know you are dead serious and I agree, but this made me laugh at how such an obvious answer can be so absurd to the company itself since it's their window to the world of users. You and I would say that is their leverage in the fight of abusive DRM, yet they would argue it is what allows them to survive.

Given that Google is the author of the main browser-based content decryption module in use (Widevine), and Google also has a bunch of content provider partnerships to maintain, and they run YouTube, which in some ways relies on content owners not getting pissed off and suing it out of existence (content owners are the reason YT has ContentID, not because of any legal requirement)... I don't think it's in Google's best financial interest to fight against DRM. So they won't do that.

> I don't think it's in Google's best financial interest to fight against DRM. So they won't do that.

Yep, it's much cheaper to ensure employees to give money to EFF ;)

Whenever you watch a video you are downloading it. youtube-dl merely gives you control over where that stream goes, whether it's to a hard disk or to a media player like the regular Youtube.

> Whenever you watch a video you are downloading it.

Why is this comment downvoted? It's highlighting one of the most common misunderstandings that laypersons have regarding video download/streaming. Most people think that you can "view" content on the internet without downloading it. In this context, a tool which purports to "download" content, you know... sounds like it's nefariously doing something that the "viewing" tool (like a web browser) doesn't do.

This may be completely true in a technical sense, but that's not how the law works (see https://ansuz.sooke.bc.ca/entry/23). And while the same bits pass through your connection, this equivalence already breaks down right away: There is clearly a difference between persisting a media file to disk vs having it ephemeral in browser memory.

>There is clearly a difference between persisting a media file to disk vs having it ephemeral in browser memory.

Is there? When "streaming" video, there most certainly is a copy of the bits being stored on a disk to ensure that the video "stream" plays cleanly and without interruption.

Are you making the claim that "streamed" video is never buffered/stored on disk? That's an odd claim to make. I'm no expert on video streaming, but I would be very surprised to find that all video streams are only stored in RAM and not on disk.

I may well be wrong about that. Perhaps someone more knowledgeable could chime in.

That's again exactly the technical detail fallacy the comment you replied to is arguing against. No, they are not making the "odd claim" you suggest. They suggest that laws make the difference when deciding about infringement. E.g. by explicitly excluding temporary copies created while watching as intended, where it doesn't matter how the OS and the browser handle the memory internally, but a thing that results in a file on disk the user keeps is clearly different. (Similarly to how software being copied into swap-backed memory while you run it is not an illegal copy, whereas copying the file elsewhere might)

Certainly with DRMed video it is common for the video to never be buffered/stored on disk. Sometimes a few seconds is, but even that is uncommon, and more likely it would simply be retained in RAM now.

With more secure DRM systems the OS literally never gets access to the video buffer, protected by hardware, in order to even send it to disk.

An interesting question along these lines arose recently in relation to an Australian password disclosure law that related to accessing “computers,” which was used to compel disclosure of a smartphone passcode. To HN readers and the digital forensics people who pull data off smartphones, they’re obviously computers. But the judge was not convinced that a law written to allow access to “computers” in the early 2000s was intended to allow access to smartphones today, which contain far more personal information than the typical personal computer of 20 years ago. After all, if you asked someone “do you have a computer?” they would be unlikely to say yes based on their possession of a smartphone. And if you ask someone who streamed a YouTube video whether they “downloaded” it, I think in most cases the answer would be no. That’s why the tool is called “youtube-dl,” even though it is now used for streaming as well.

> There is clearly a difference between persisting a media file to disk vs having it ephemeral in browser memory.

yes, at some point actual human intentions must come into play. you can't defend stuff like CP by saying "it's just some EM pulses, what's the big deal?". or "no I'm not invading your privacy with my IR camera, you are broadcasting in the IR spectrum!".

in this case the implementation does blur the line a little bit. what if the browser's memory gets swapped out to a page file on a (spinning) hard drive? even if the cache gets "deleted" after closing the tab, it might be quite a while before the sectors containing that protected sequence of bits get overwritten. is this infringement?

I agree there is a legal/practical/moral difference between streaming and downloading something. But there's no need to obscure the technical difference by downvoting people when they point it out.

The point is that youtube-dl does more than just download videos. It can also be used for downloading metadata. I use -J to download metadata formatted as JSON.

Is that metadata protected by some sort of mechanism? Or is it just not queried by default using one's browser? I.e., is youtube-dl calling a public, unsecured API, or is it circumventing some sort of copy protection?

Because if it's just querying for metadata that anyone can already query for...your point seems immaterial as to the legality of the tool?

They're saying that sure, the name youtube-dl might well imply it's specifically for downloading things from YouTube, but that doesn't mean it's specifically for downloading video from YouTube.

How much of that metadata is not normally downloaded alongside the video?

Plenty of it? I regularly download the metadata and subtitles of entire channels or playlists so that I can search for specific words or phrases in thousands of hours of video. I know of no other way to accomplish this.

Subtitles are a perfect example of data that any normal browser downloads if you click CC, and can even be ^F'd if you click ‘Show Transcript’ on YouTube, but just happen to be orders of magnitude more useful if you control where they download to. I think you’re proving globular-toast’s point.

Subtitles are not video, so no. And I'd like to see you visit a thousand video pages with an RIAA approved browser and ^F on each of them. Nice joke!

Why should subtitles and video be considered so discretely? Are subtitles not copyrighted the same way as the audio and video portions of the work?

Beyond subtitles, there is certainly video metadata that youtube might have a claim on but the RIAA does not.

The principles are essentially the same, but they are discrete copyrights which could be owned by different people.

Thank you so much for writing this comment!

I've been in several situations where this would have been incredibly handy, but never realized it was possible.

`youtube-dl --write-sub --write-auto-sub --sub-lang en --skip-download [URL]` (Then just use grep)

There's all kinds of cool stuff you can do with youtube-dl. For example 'ytsearch20:kittens' will get a playlist of the first 20 search results for 'kittens'.

This sounds incredibly powerful. Wondering if c-span is on youtube and properly close captioned.

According to their FAQ, c-span.org's search uses closed captioning to facilitate search (but they don't provide copies of those transcripts.) Perhaps that might suite your needs though.

EEF deserves every penny of donation they receive.

The EFF might deserve it more though

Couldn't agree more: https://supporters.eff.org/donate/

not sure if you noticed, but the parent comment was joking about your typo -- you said EEF, not EFF :)

Oh! I see... well... my bad... ¯\_(ツ)_/¯

GitHub is owned by Microsoft, who is a member of the RIAA who created this legal action.

For Microsoft to pay for the lawyers to take it down (via their RIAA membership payments) and also pay for the lawyers to keep it up seems... rather silly.

From the outside in, there are a lot of aspects of the legal system that look like this - welfare for lawyers. Unfortunately, fixing it requires changing the law and we've made of practice of sending a lot of lawyers to Capitol Hill who are very sympathetic to the needs of lawyers. It's probably the biggest self-perpetuating interest group there is.

Lets assume, for once, that what they wrote, is what they stand for.

I think this is a very very good / exemplary reaction.

Why didn't they start with youtube-dl though? They will defend developers and err on their side "going forward" but no not that one?

Surely they already had the legal manpower when the youtube-dl removal started making waves. The fact that they did nothing for over three weeks and are publishing this blog post right after the issue was fixed by someone else (EFF) makes it hard to believe their "changes".

In large organisations, with lots of tape actually getting the ball rolling on what is proposed with all the sign offs, funds allocated, people/resource allocated for the tasks.... It takes months, not weeks.

They probably published this off the back of a signed off proposal and may start implementing off the back of it early next year.

My daily work is often not adhoc or that fast;

I'm not sure why this is so unrelatable to you but for me, daily business is, that things just take 1-3 weeks.

Legal manpower still means, that people interrupt their current tasks, which they properly have plenty of, to reprioritize something, others might even not care about at all or never heard of.

I stay with my statement and i have enough live experience, that i don't expect a 3 minute solution and answer from github.com

I didn't expect any "3 minute solution", but realistically they didn't even have to get the problem fixed. They could have pledged to assist youtube-dl by now, helped them file a counter-notice sometime this week (surely they can get 1 lawyer's time for pressing PR matters), and figured out how to deal with the human resource situation over the coming months.

Instead they found a million dollars (!!!), wrote a blog post with explicit commitments, but then waited on somebody else to step up. It just doesn't add up.

Someone on github had to care for this project; Then someone with the proper level had to care for this and understand the situation.

Then you need meetings.

You need to 'coordinate' your message or whatever.

You need to talk to the legal department and stuff.

What is not 'adding up'?

And why is it an issue that it took a little bit?

I agree with you completely. Someone high-up needs to care for this to get going.

GitHub's CEO claimed he cared, October 27: https://twitter.com/natfriedman/status/1321221940774723584

The fact that he didn't get a coordinated message or anything at all in the following three weeks shows how much he really did.

When Microsoft and the RIAA square off, the letter of the law isn’t really the battlefield. The battlefield is influence with the US Senate, and the EFF, while well regarded, is a Sancho Panza compared to Microsoft.

Microsoft won't square off with the RIAA since they're part of it.

So Microsoft sent a bogus DMCA takedown request to Microsoft, and the non-profit EFF had to respond to keep Microsoft from suing Microsoft?

Microsoft also has a program for matching employee donations to non-profits, so its likely Microsoft has also given money to the EFF as well.

I guess that's one way to put it :-D 2020 sure is a strange year.

How has youtube not sent a cease and desist for the name youtube-dl?

They would most definitely have a case that the name makes it appear to be a youtube product. Would a cease and desist for the name only somehow imply that google has no issue with the functionality?

Because I know not protecting your trademark can lead to dilution. And by issuing takedown notices, they are showing that they are aware of the existence of this usage of the youtube trademark.

Youtube has to realize that a significant amount of content that people watch on its site is reaction, commentary, compilations, and other recycled content.

I think its for this reason that they don't go after these projects very aggressively.

It's just arbitrary. There's prob even a low-sev ticket somewhere in Youtube's issue tracker to take out youtube-dl. They can do it at any time.

That they haven't done it (make youtube-dl's life harder) yet just means they might do it tomorrow, not that they don't care.

> If GitHub were fighting for the developer they would have funded the attorney, right?

By expressively taking the side of the accused (such as paying their attorney), Github could have opened themselves to being liable for whatever youtube-dl does.

Having the EFF as an independent party sidesteps that issue.

Honestly, the name is problematic. Why do some developers insist on bad names? Stop the bad names .. unpronounceable crap like xoyx-mp4, zycx10 should also be avoided .. what's wrong with vidl, or something simple like that? .. I'm half joking, but it's worth underscoring.

They literally had a test case in the repo for circumventing copy protection on youtube.

I'm somewhat baffled they managed to get the repo reinstated given that's very much a violation of the DMCA.

The argument is that it doesn’t do anything that a web browser doesn’t do already, and there’s established precedent that it’s not “circumventing copyright” if it requires no secret knowledge.

To be honest, I had no idea youtube-dl did anything else other than download YouTube videos. What other functions does it have?

"Downloading" doesn't mean "saving a copy" (unless you count "saving a temporary copy of its chunks in RAM"...). Most of my youtube-dl usage comes from its mpv integration, so the video is simply streamed directly for playback.

It supports a lot of video sources [1], not just Youtube.

[1] https://github.com/ytdl-org/youtube-dl/tree/3f1748b9445e9d93...

I was suprised today that it supports downloaded videos on reddit too.

It support a gigantic amount of website, including audio one. Most of the time, I use it to have an offline copy of a podcast, radio show or some video that I might need to look at wherever I am not guarantee to have an internet connexion (very useful when travelling). It also has a lot of useful option like downloading the audio only of a video, choosing the quality of the video/audio which might be hidden in the website you are trying to watch it from, download subtitle (this is just so useful), you can pass ffmpeg options also to post-process the video in one go, ... There is just so many thing you can do with it. One last example : one of my computer really struggle to watch video/stream directly from the browser (for whatever reason), but with youtube-dl I can stream directly to VLC/MPV and it use 1/10 the CPU comparing to watching the same video in the browser.

youtube-dl is a networked multimedia swiss army knife supporting many operations and manipulations of audio, video, metadata, and auxiliary content from many video and audio hosting sites and platforms, as well as serving as an access layer for several playback tools, including mps-youtube, mpv, and VLC.

It supports audio-only sites too. I personally sync my favourites on Mixcloud with it.

An important point:

There are many videos on YouTube that are 100% legal to download.

Also their examples in their docs for youtube-dl included copyrighted content ...

I'll let the lawyers debate that whole thing, but IMO I think that was a bit of a mistake / bad idea. Granted, fixable, but maybe a lesson of something to avoid.

Actually it seems more like the EFF had nothing to do with it at all and the unit test patch is the reason it was restored - just like Github says in the blog entry.

i have ytdl bound to some macros on my browser, so i can stream videos outside of the browser for accessibility reasons

Add to this that the original author recently posted a story about the origins of the youtube-dl script admitting it was designed to do:- download YouTube videos and name the downloaded files appropriately.


Under DMCA, neither writing a script like youtube-dl nor using it is prohibited (making an unauthorised copy of a video could be fair use).FN1 Section 1201 however prohibits distributing the script to others. Thus, the author of the script who "releases" (distributes) it is not necessarily the only one who might be violating the DMCA. Any recipient of the script who distributes it further, e.g., Microsoft, could be violating the DMCA as well.

FN 1. Section 1201 prohibits distributing technology that is designed to circumvent either "access controls" and/or "copy controls". Similarly, the act of circumventing "access controls" is prohibited. However, the act of circumventing "copy controls" is not explicitly prohibited. Making unauthorised copies, e.g., downloading YouTube videos, is subject to the defense of fair use. It is arguable that youtube-dl is only designed to circumvent "copy controls". As others in the thread point out, there are generally no "access controls" on YouTube videos, e.g., password protection. There could be exceptions. If youtube-dl is designed to circumvent geographic or age restrictions, would those be considered "access controls".

Aside from DMCA concerns, Google's Terms of Service for YouTube would appear to prohibit use of youtube-dl:

"The following restrictions apply to your use of the Service. You are not allowed to:

1. access, reproduce, download, distribute, transmit, broadcast, display, sell, license, alter, modify or otherwise use any part of the Service or any Content except: (a) as expressly authorized by the Service; or (b) with prior written permission from YouTube and, if applicable, the respective rights holders;

2. circumvent, disable, fraudulently engage with, or otherwise interfere with any part of the Service (or attempt to do any of these things), including security-related features or features that (a) prevent or restrict the copying or other use of Content or (b) limit the use of the Service or Content;

3. access the Service using any automated means (such as robots, botnets or scrapers) except (a) in the case of public search engines, in accordance with YouTube's robots.txt file; or (b) with YouTube's prior written permission;"


Would these TOS be enforceable if challenged. #1 makes no allowance for fair use. What do you think.

> It seems like EFF fought for youtube-dl and GitHub used their letter as legal firepower to bring the repo back online.

I'm at least one of those who requested EFF to take a look on "The RIAA’s attack on YouTube-dl is not a DMCA 512 infringement" thread.[0,1]

[0] https://twitter.com/app4soft/status/1320617082866847746

[1] https://news.ycombinator.com/item?id=24888234

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact