This is incredibly shameful. It's now only a matter of time before images, CSS, JavaScript, hell, even the text, are delivered through OS-specific, locked down CDMs. It will start with pissant sites nobody cares about (like the ones who are currently fighting AdBlock), but eventually a large site will demand it - most users will be using a device that handles this, and we will literally never have the Open Web ever again. (If you can't imagine how this would be done, go look at a restaurant website without Flash. Replace Flash with a gigantic EME-required media element. It's closer than you'd think.)
I get that slippery slope arguments are often problematic, but DRM has always been something where we've slid down as much as is allowable as soon as it is allowable. The broadcast flag, Macrovision on DVDs, SCMS, Cinavia, etc. are just a few examples of this.
I also don't feel the 'open source sandbox' will be permissible by most developers of CDMs. My opinion is that mozilla will waste countless cycles implementing EME that won't be acceptable to the content mafia. Adobe is not the only player in this space.
I think the bigger issue is how little the vast majority of technology users understand these issues. To them, so what if the movie studio wants to limit what people can do with a copy of their movie. "We've got streaming movies from major studios, yay!" they all say.
And I don't know how you educate folks. These are the same people who would shrug their shoulders and say "So what," about NSA wiretapping. "I don't have anything to hide."
There is no thought given to the possibility of abuse in the future once these rules or systems are entrenched and standardized.
> It's now only a matter of time before images, CSS, JavaScript, hell, even the text, are delivered through OS-specific, locked down CDMs
Do you have any other sources that indicate this push? Seems a possibility but it's the first I've heard of this kind of lockdown. Seems like the cost would greatly outweigh the benefits...
The point is to put the slippery slope argument into context. Mozilla had made the sandbox very explicit and divorced form the rest of the content in the DOM.
> . We face a choice between a feature our users want and the degree to which that feature can be built to embody user control and privacy.
It can't be said for all users. I don't want it. No DRM junk in the browser please. I understand that she probably means some estimated majority, which is unfortunate (i.e. majority accepting unethical practice like DRM).
> Firefox users would need to use another browser every time they want to watch a controlled video
Irrelevant for many users of DRM-free OSes (like Linux) who won't have any DRM backend for EME anyway. I.e. it really sounds like "users would need another OS".
> Each person will be able to decide whether to activate the DRM implementation or to leave it off and not watch DRM-controlled content.
I hope there will be a switch for disabling the whole EME altogether. Even better, I'd prefer builds of Firefox free of any DRM sickness. It's very unfortunate that this garbage is finding its way into the open source browser which always stood for the users' rights more than many others.
Are you kidding? DRM is great. I love being able to just pay money to Netflix in return for content. DRM enables that nice, clear-cut transaction. What's the alternative? Judging by the rest of the web, it involves tracking your internet activity and throwing advertising in your face.
DRM is never great. Show me one user who actually appreciates DRM itself. What you meant above is that users like the service. They could like it even more if it hadn't DRM garbage attached to it. I.e. DRM has nothing to do with what users like - it always degrades the quality of the service and the digital goods it delivers.
If you're watching streamed video, the DRM is completely transparent. I don't see how that is a degradation in service.
The only way it would be an issue is if you're trying to rip the stream. But if you've paid the provider for streaming only, rather than to download and keep a copy, then that's also not really degrading the quality of service. Similarly, the prohibition on bringing a video camera in to record cinema screenings does not reduce the quality of the cinema experience.
In general, I don't really see a problem with DRM that is temporally bound to the moment of consumption.
> If you're watching streamed video, the DRM is completely transparent. I don't see how that is a degradation in service.
It is crippling usability in several ways:
1. DRM is usually not portable (or not ported at least). I.e. most probably it's tied to certain devices / operating systems / applications and etc. For the end user it translates to "you can't watch it on the device / operating system / application of your choice".
2. DRM prevents backups. If the service goes bust or you lose connectivity - you have no access to your data.
3. DRM poses a security / privacy threat. Being transparent
doesn't make it any better - it only makes it worse (think of a hidden camera).
All those are clearly examples of degraded usability no matter how "transparent" some DRM is.
Regarding your first point, hasn't this always been the case even before DRM? For example, one cannot directly interpret the magnetic fluctuations encoded onto a cassette tape - a tape player is needed to transduce the signal. DRM just takes this a step further by introducing cryptography and obfuscation into the decoding process.
I don't think backups are relevant to DRM-laden streaming video, given that it's someone else's data that you happen to be observing.
I'm not sure what you mean by a security and privacy threat. Surely it is no more of a threat than visiting potentially untrusted websites, or using closed-source or unverified open-source binaries, in the first place?
> Regarding your first point, hasn't this always been the case even before DRM?
It's not the case for any normal standard portable format (video, audio, etc.). They can be accessed on any platform. DRM prevents that limiting your options where and how to use it. If you take tapes analogy, you can play your tape in any player. Imagine a tape which is only playable in Sony player or whatever. It's clearly a defective product in my view.
> I don't think backups are relevant to DRM-laden streaming video, given that it's someone else's data that you happen to be observing.
That's exactly the point. It means usability is reduced if anything goes wrong with the service or you can't connect to it or whatever other similar reason.
> I'm not sure what you mean by a security and privacy threat.
Since DRM is based on distrusting the user (assuming all of them are potential criminals by default), symmetrical treatment for it from the user's side should be "always potential malware by default". Here is a good example of this: https://en.wikipedia.org/wiki/Sony_rootkit
Since DRM is always a black box / closed code, it adds to the reasons to never trust it.
I don't think DRM really prevents anyone from watching video. There are plenty of alternative options. For example, for popular films, one option would be not to use the streaming video service but instead purchase a DVD. Another alternative is to use a platform that supports the desired DRM-laden streaming video service. A more difficult approach would be to reverse engineer the DRM software and reimplement it for the chosen unsupported platform. So it's not ultimately limiting, at most it's a small inconvenience.
The same arguments apply to the issue of backups. It would be highly unusual for the only copy of a media product to be only accessible via a DRM-encumbered streaming video service.
I do see your point on the lack of trust though. In this case, hopefully Mozilla's sandboxing approach would go some way towards mitigating that. And the inevitable disassembly of whatever closed-source binary they release.
> I do see your point on the lack of trust though.
If you put that in perspective of recent privacy / mass surveillance issues, DRM is a perfect ground for various agencies to put their effort it. After all, DRM is already by design intended to spy on users and control what they do, plus DRM is massively deployed because many consumers accept it without second thought.
That's like saying nobody likes the turnstile on the subway. Of course not, but it enables the service to exist in the form it does. I'd much rather go through the turnstile, as awkward as it can be if you've got a suitcase, etc, than be forced to watch advertisements during my subway ride...
> I'd much rather go through the turnstile, as awkward as it can be if you've got a suitcase, etc, than be forced to watch advertisements during my subway ride...
That's quite a false dichotomy, since the service clearly can exist independently of DRM (both technically and economically).
Furthermore, this dichotomy doesn't work either in your analogy (there are ads on the subway, and yet I still have to pay) or in the real case we're talking about (Hulu+ is paid service locked down by DRM, and it still shows advertisements).
Amazon sells music perfectly without any DRM. It doesn't just exist - it brings them tons of profit. GOG sells games without DRM - and having growing profits. And etc. and etc. Your point disproved.
I assume that DRM has no effect on piracy (it doesn't) and it always degrades usability (it does). Which means scraping it off always has no financial impact except for improving usability of the service and reducing costs of using DRM itself. Better usability + more user friendliness = more satisfied users + more new users = more profit.
I don't think it's a reasonable assumption to make that DRM has no effect on piracy. It won't stop sophisticated pirates, but I do think it stops people from releasing an easy-to-use app that lets your grandma store Netflix movies locally.
Reminder to everyone: use downvote only for poor behavior, not disagreements. Appreciate that rayiner often provides intellectually honest contrarian viewpoints to many arguments. If people like him weren't here, this place would just be a big and disgusting circlej erk round the clock.
Grandma doesn't need to store Netflix movies locally. She can head to the Pirate Bay (with adblock lol) and download the video that a "sophisticated pirate" kindly ripped earlier. She never has to deal with the DRM at all.
Why bother with letting grandma store Netflix movies locally in a hypothetical DRM-free world when you can just use BitTorrent to download them now?
There's no reason a BitTorrent movie downloader couldn't be made just as easy to use as a Netflix downloader. If one doesn't already exist, it's not because DRM is somehow stopping it.
> I don't think it's a reasonable assumption to make that DRM has no effect on piracy.
It's not just reasonable, it's easily demonstrated in practice, when goods released with DRM are pirated almost right away (with DRM being scraped off). Sophisticated pirates are needed to break DRM. Unsophisticated ones get it from them without any hassle. Which means that DRM has no effect altogether except on legitimate users!
I.e. the vast majority of pirates never deal with any DRM, and experience of legitimate users is always degraded by it. It's pure common sense that removing DRM would always improve any service. And the fact that it's not happening is caused by other reasons (see above).
No, DRM does not enable the service because it's not an essential part of it. The service could work without DRM all the same while being ethical and more user friendly at the same time. DRM is like a sickness attached to an otherwise healthy product. It only becomes better when you remove it.
That's like saying the subway turnstile isn't an essential part of the subway. It's only true if you define "essential" in a narrow technical way that ignores the realities of having to monetize the use of products and services.
> realities of having to monetize the use of products and services.
Essential means technically and financially essential. I.e. without it the service can't work or can't bring profit. DRM is neither of that. Those who require DRM [publishers] have no technical or financial reasons to justify it. No valid ones at least (all reasons they usually voice are false, and their true reasons they usually don't voice).
1. Monopolistic lock-in. DRM is more than often used to control the market. It happened with Apple in the past, and was one of the key reasons that music publishers realized that being DRM-free is actually better for them.
This reason also includes DRM derivatives like DMCA-1201 and the like. It's all about control (over the markets, over users and etc.).
2. Covering one's incompetence. DRM is used to justify failing sales (i.e. when execs are questioned about why the product performs poorly, they say "Pirates! But worry not - we put more DRM in place").
3. Ignorance and / or stupidity (many execs have no clue and might believe that DRM actually provides some benefit). This type can be called DRM Lysenkoism.
None of these reasons are valid, all of them are crooked and anti-user, but they are often present in various combinations.
It's not always the publisher. It can benefit some middle parties which implement DRM. Or for example mobile carriers which use DRM to prevent users from switching. Or whatever other monopolistic lock-in scenario.
When publishers realize that monopoly falls to some other hands, they quickly become sober and find common sense. When monopoly remains theirs, they pretend that DRM is needed for other reasons.
The turnstile is actually a great analogy for DRM, including all of its flaws. And the turnstile isn't what allows subway service to exist.
A turnstile isn't very hard to jump over. If the turnstile is the only enforcement mechanism, anyone who wants a free subway ride just has to vault over (or perhaps also glance around to see if there are cops nearby, google whether there are monitored cameras, or pull a hoodie over their face).
There's an alternative, though: most places in Europe, there are no turnstiles, and nothing preventing you from getting on public transit without paying. It's a "trust but verify" system: you are required to validate your ticket before you get on the train, and occasionally someone comes around the train to check if you have a valid ticket, and issues a fine if you don't have one.
With this method, the users aren't inconvenienced, enforcement costs are reduced, and everyone's happy. With the turnstile, you get massive queues at busy stations during rush hour, and by making this one mechanical device your sole point of enforcement, you've actually made it more likely that people who don't want to pay will cheat the system.
Some places don't use turnstiles. Instead, you voluntarily validate your ticket with a machine. To ensure compliance, random checks are performed, with a large penalty if you don't have a valid ticket. It's a pretty nice system.
Similarly, some places don't use DRM. I don't think it's made it into the video space yet, but legitimate DRM-free music is common. It seems to work pretty well.
To say that DRM enables the service to exist only works if there's no other, better way. But there is, and the only reason we don't get to have it is because of customer-hostile policies from media companies.
What is happening here with the reply links? Apparently you two can still post but nobody else can (at least I cannot). Is that the new policy from a while ago?
You can answer, but first you might need to click the "link" link. I'm not sure why it's needed sometimes. May be when discussion happens too rapidly, the site assumes it can be some spam bot or whatever. So it puts some roadblocks.
As it happens, a lot of subways don't have turnstiles or ads, but instead periodically check for tickets after you're on board. I don't think that's terribly relevant here, though.
I also love being able to pay Apple money in exchange for DRM-free music. Also, DRM on video is approximately 0-efficient; pirates will still rip movies and upload them to torrent sites, freeloaders will still find free low-quality streaming movie sites, and the majority of non-technical users wouldn't be able to rip streaming video even without DRM.
As easily as Mozilla can make an open-source DRM client... simple (DRM will be broken sooner rather than later, if it hasn't been already), but you can't distribute it. So we're back to "pirate channels", like all the movies today.
And in any case, this misses the point: non-technical users won't distribute pirated content, even if they could rip it. Who are they going to distribute it to? Friends? Whoever wants free movies, can get them easily. But the main advantage of streaming, on-demand-ness, remains in the hands of the big players, who can afford to lease the servers and pay for the bandwidth.
Movie rentals existed before Netflix. It's always been technically possible to make illegal copies of movies. But most people would rather have a legal option. Otherwise everyone would skip Netflix and just use the Pirate Bay.
Edit: To be clear, I'm saying that people will pay for a legal streaming service even if they could rip it off for free.
Correct. Thus it is a very bad idea to infuriate the people who love music/movies with DRM mechanisms, because otherwise they'll just pirate and not buy.
What about Netflix requires DRM? I know that the studios currently require it but what benefit does it actually serve? How much of the content on Netflix is not available to pirate if so inclined?
The handwringing over this strikes me as extreme. Mozilla already ships with the ability for users to enable closed-source, proprietary DRM schemes to view web content -- the Flash and Silverlight plugins. Moving from the current regime of Flash/Silverlight to the EME is a move towards openness, not away from it -- the DRM scheme is still closed, but the content itself is more open and standard than before, as you're no longer tying yourself to Flash's implementation of video streaming.
I agree, and think the sandboxing of the DRM plugin is a positive step towards more openness as well - the opaque algorithm implementing the DRM can apparently only touch the video streams it's being fed, and a unique identifier generated by the browser. Much better than the current situation of Flash having arbitrary network access and suchlike.
In concept, I think it's not too much different from server-side website code being mostly closed source. The only difference is that this component happens to be running on your computer.
Also there is prior form for this in similarly open systems, e.g. tainted modules in the Linux kernel, which seem to have turned out okay.
> Each person will be able to decide whether to activate the DRM implementation or to leave it off and not watch DRM-controlled content.
At first glance this may seem pretty "reasonable", but it really isn't. It's like putting a backdoor in every Intel chip (such as say through TPM 2.0), and then just telling people "look, if you don't want the backdoor activated, you can disable it - Now here's the list of 10 instructions to do so..."
It's an illusion of choice, and nothing more. While some may be content that this option exists, the reality is that DRM is now getting pushed to billions of users out there through the web, as the default for soon most video platforms.
I don't fully blame Mozilla for this. In fact I blame Netflix first, and Google and Microsoft second. This Gang of Three is the one that made it happen in the first place. But I am saying that Mozilla's attempts to alleviate our concerns aren't very effective or particularly useful.
A number of content owners (in particular film and TV studios) require technical mechanisms to reduce the ways in which people can use that content
Drm is the opposite of serving users. By definition. The "challenge" is actually to select which privileged users you still want to serve in spite of the not-serving default.
I wish I could be against all DRM. Like many things in life, it's not that simple. I'm proud of Apple for successfully taking DRM out of the equation from music sales. But what about non-sales interactions?
We don't get DRM-free copies of all our music from Spotify, nor should we reasonably expect that. We are subscribing to a service that allows us access to music so long as we are paying customers. Why shouldn't there be light-touch DRM in place to keep us from flagrantly abusing the system and retaining all copies of the music after if/when we cancel our subscription?
Should we reasonably expect to be able to keep a copy of a television show that we streamed from abc.go.com? ABC makes far less money from showing us ads than if we purchased a copy from iTunes. They do this, part and parcel, because we don't get to keep a copy of the show after we're done watching.
From my perspective, DRM has no place in a "sales" relationship. We should have full usage rights whenever we buy a book, movie, or song.
DRM should exist for subscription services and ad-supported streaming. DRM should essentially serve to enforce the social and legal contract that says we are "borrowing" the books, movies, or songs for long as we have that relationship. Once that relationship is over, we can't use that stuff any more.
I suggest that we create an open-source DRM system designed to fairly protect the content creator in cases where the audience is "borrowing" the creative work (whether ad-supported or subscription).
> We don't get DRM-free copies of all our music from Spotify, nor should we reasonably expect that.
Why not? I use a number of internet "radio" stations that send DRM free mp3 streams to my computer (complete with ads). Some even have paid accounts that stream at a higher bitrate.
The only reason Spotify can't do that is because the recording studios act like frightened little children, scared that someone is going to take their toys away. They've (somewhat successfully) planted the meme that DRM is required or the evil pirates will just steal everything and they'll go out of business. But I just don't buy it.
Mozilla should have done the right thing and stood by their beliefs that DRM is harmful to the free web. Instead, they folded to the media corporations and implemented EME. I understand the tremendous pressure they must have been under, but it was the wrong decision. Mozilla is not serving the users by allowing Netflix, Amazon, and others to trample their freedom for the sake of watching TV shows.
Mozilla, please remove this anti-feature. Do the right thing.
> It will be easier for Firefox users to play DRM-enabled videos because they will not have to download Flash or Silverlight first. Firefox users will be able to choose whether to activate the new DRM system before it is accessed.
Why not have this downloaded upon first use, the way that Flash and Silverlight have been?
Also, isn't this what users on many Linux distros (e.g. Iceweasel on Debian) will have to do anyway?
Mozilla employee here, speaking for myself but pretty close to the info source.
That's actually what we're looking at doing: the sandbox would be in there, harmless, by default, but the actual crypto module (the "CDM") would download from Adobe upon first need. (And they have committed to support the platforms we support, Linux included.) The exact UI is still up in the air. I could imagine us using the opportunity to display a message to educate users as to what DRM is and whose phone number to call if they don't like it. ;-)
> I could imagine us using the opportunity to display a message to educate users as to what DRM is and whose phone number to call if they don't like it. ;-)
Please do this!
I understand that Mozilla has been backed into a corner on this, so I get why you'll be adding this (much as I wish you didn't have to). But that doesn't mean forgetting about the issue entirely.
I wouldn't ask this of any of the other major browser vendors, but I like to hold Mozilla/Firefox to a higher standard. :)
So... how long until we reverse-engineer the CDM and write a free decryptor? Is there any indication that reverse-engineering the CDM would be technologically unfeasible?
Is it part of the nature of the DRM technology that it can't be walled off in an XPI? I find myself thinking the change would be significantly more palatable for those who care deeply about the division of open and closed source if Mozilla could implement this by building a video-supporting XPI that users can choose to not install (thereby verifying that no closed-source blobs are living in their browser, spying on them or whatever closed-source blobs do that is so undesirable).
Mozilla should implement the closed-source portion as an official addon. They can give the user a choice to include it or not during the installation. Maybe this is what they're doing; their post wasn't completely clear on that.
I get that slippery slope arguments are often problematic, but DRM has always been something where we've slid down as much as is allowable as soon as it is allowable. The broadcast flag, Macrovision on DVDs, SCMS, Cinavia, etc. are just a few examples of this.
Highly recommended reading is also this post, which discusses how Mozilla will implement EME: https://hacks.mozilla.org/2014/05/reconciling-mozillas-missi...
I also don't feel the 'open source sandbox' will be permissible by most developers of CDMs. My opinion is that mozilla will waste countless cycles implementing EME that won't be acceptable to the content mafia. Adobe is not the only player in this space.