Hacker News new | past | comments | ask | show | jobs | submit login
YouTube Ditches Flash, and It Hardly Matters (eff.org)
381 points by sinak on Feb 7, 2015 | hide | past | web | favorite | 185 comments



One thing to note is that (last I heard) both Chrome and Firefox sandbox EME modules fairly tightly. Flash is a browser plugin, which means that it usually injects code into the browser itself, and runs with full privileges on your computer, just as much as your browser does. This is what makes Flash such fertile ground for exploits of all kinds, and also makes it bad for your privacy because it has direct access to your webcam, microphone, clipboard, supercookies, etc. — anything the browser can do, Flash can do without asking. If it asks, it's out of the kindness of its heart, not because the browser has any say.

Chrome and Firefox's sandboxes, meanwhile, are both open-source. You can inspect what powers the EME module might possibly have, and know that it can't gain any more. A vulnerability in the code is unlikely to be able to do anything other than pirate your download of Game of Thrones — and that's assuming it even has general-purpose network access. Ideally, a vulnerability would be able to do nothing other than modify the video you see, but the remote site could achieve that by encoding a modified video in the first place.

As far as the general moral arguments about DRM go, it's true that the new boss is the same as the old boss. But the bulk of the EFF's argument against Flash in this blog post is about security, not about open content, and it's important to acknowledge that EME is a significant step forward. The new boss is sitting in a tightly locked cage.


Its more about freedom than security tho. Really if anything, EME is about security for vendors, not users. Really, not much to do with the fact that it's sandboxed. Its not like if proprietary, freedom-restricting software was suddenly ok because there's some kind of a sandbox around it.. as if the only issue with these was that they're poorly coded and supported.


> Really if anything, EME is about security for vendors, not users.

EME as originally conceived is about security for vendors, yes. But Firefox and Chrome, which take their roles as user agent seriously, made sure the spec is one that they can also implement securely on their end. This is a ridiculously huge improvement over NPAPI.

Browser plugins can restrict your freedom in two ways:

1. They can monitor and restrict what you do with the content you're accessing through the plugin.

2. They can monitor and restrict what you do with ANYTHING ELSE IN THE BROWSER OR ANYWHERE ON YOUR COMPUTER.

EME-restricted video can do 1, but cannot do 2. This is not a complete victory for freedom, but it's a significant step forward.

Most of us do not live in a free-software utopia where we have direct control over every part of our machine from the firmware on up. (Although I have a lot of respect for the people who are trying to get us there!) Even if we're running a free OS, we assume, against our better judgment, that the firmware is doing only what it should be doing. If it's not, then it throws the rest of our freedom out the window.

Sandboxing EME allows us to ensure that one non-free part of the system, if we can't get rid of it, is restricted to doing only what it says it can do. This is a lot better than the status quo for any mixed free/non-free system (including free OS/non-free firmware). It's not quite the same as getting rid of it or making it free, but it's certainly not nothing.


> as if the only issue with these was that they're poorly coded and supported

A major issue is that arbitrary code can do arbitrary things, up to and including installing rootkits on your machine (for example, the Sony rootkit debacle). The sandbox means it can only do what the sandbox allows it to - in the case of Firefox's sandbox, that's very little.

"I should be able to watch whatever content I want on my system without installing proprietary software, even if that software is highly sandboxed and can't even see anything on my system and can't cause any permanent changes" is a political and moral issue more than a technical one.


No user is being forced into using this. I haven't really followed this argument from the beginning. Philosophically I despise DRM, but pragmatically as long as it isn't forced on users as the only option, then I don't see any issue with an extension having that option being available.


It will be forced on the users, though. If it becomes widespread, the choices are to support DRM or be locked out of the web.


> If it becomes widespread, the choices are to support DRM or be locked out of the web.

Or use a free and open source browser that doesn't implement it. If this is something people want to take a principled stance against, those browsers will doubtlessly continue to exist.

Unless you're referring the content access. That's a general trend with technology that likely won't be stopped. If you choose not to use certain technologies, it's unsurprising that you won't be granted access to certain things.


Not being able to play protected content (which you couldn't in the first place without installing Flash or another proprietary plugin) is a far cry from being locked out of the web.


No user (statistically speaking) even knows what EME is nor what EME (and DRM in general) implies. It says a lot about the morals and intentions of an industry when they are so quick to exploit that ignorance.


It definitely is in a tightly locked cage. Firefox even generates the device fingerprint itself rather than allow any machine access. An EME module cannot access the Internet, nor store data to the hard drive. There's a detailed writeup here: https://hacks.mozilla.org/2014/05/reconciling-mozillas-missi...


An interesting technical claim to sandbox a process in such a way that it has free access to display drivers and hardware modules (tpm's) but not the host system, network or hard drive.

I would like to see a security audit on that claim.


I'm no expert on the Firefox source code but it appears the relevant code is here https://hg.mozilla.org/mozilla-central/file/193c4c5c7ec2/med...


This is a bad thing.

No saving means :

No time shifting, no device shifting, no legal fair use.


I'd guess that the larger barrier to the lack of saving is the desires of the copyright holders who decide what the EME module can do, rather than the permissiveness of the sandbox.


Exaggerating claims beyond a certain point makes them unconvincing. For example, the BBC's iPlayer is designed for time shifting and device shifting, and it has always used restrictive DRM, so saying that DRM prevents that just makes the argument look wrong to semi-informed users.


> saying that DRM prevents that just makes the argument look wrong to semi-informed users.

It does prevent these uses, however, unless the content provider explicitly provides it. The US law says that the content provider does not need to explicitly allow it; it's a right granted to the user by copyright law.


> For example, the BBC's iPlayer is designed for time shifting and device shifting

Cool, can you show me how to play the content on my portable MP4 player please.


get-iplayer?


I searched the BBC website but I can't find that anywhere.


Which relies on the flash streaming protocol, so here we are back at square one.


Actually we're worse. As I understand it UK law considers that because flash based DRM is weak it doesn't count as DRM and hence get-iplayer is legal. Will this hold when/if the BBC switches to the new boss?


>As I understand it UK law considers that because flash based DRM is weak it doesn't count as DRM

Unfortunately, no. I think you may be getting tripped up by the phrase "effective technological measures" - being "effective" is a very, very low bar. To quote s296ZF of the Copyright, Designs and Patents Act 1988:[0]

“technological measures” are any technology, device or component which is designed, in the normal course of its operation, to protect a copyright work other than a computer program.

(2)Such measures are “effective” if the use of the work is controlled by the copyright owner through—

(a)an access control or protection process such as encryption, scrambling or other transformation of the work, or

(b)a copy control mechanism,

which achieves the intended protection.

[0] http://www.legislation.gov.uk/ukpga/1988/48/section/296ZF


> Chrome and Firefox's sandboxes, meanwhile, are both open-source. You can inspect what powers the EME module might possibly have, and know that it can't gain any more.

Yeah, that's not true[1]. Sandbox security is not perfect.

Sandboxed plugins are definitely are an improvement in security over non-sandboxed ones, but running untrusted code in a sandbox is still running untrusted code on your machine. At the very least that has to be considered one level of privilege escalation that's just being handed to malicious coders for free.

Sandboxes are great. I'd love to see open source code run inside sandboxes, because even if the code has been audited, because even if I know the code isn't trying to do anything bad, it might have vulnerabilities that let other people do bad things. Running closed-source EME code inside a sandbox is still an unnecessary risk, though, because we have no way of verifying whether that code is secure and in fact that code might be an attacker itself.

[1] http://www.zdnet.com/article/pwn2own-2012-google-chrome-brow...


The JavaScript VM is also a type of sandbox, whose security in every browser is compromised on a depressingly regular schedule. It's true that the EME sandbox is an additional risk, but it's only supposed to run a single piece of software from (in Firefox's case) Adobe, which is probably not malware, and would thus have to be exploited before the strength of the sandbox made a difference. It probably can be exploited, but considering that attackers can run arbitrary evil JavaScript directly... EME is only a small addition to the overall risk profile.

What I think is more important, from a security perspective, is that EME defeats (or attempts to defeat) attempts to get by without JavaScript or the complexity of modern browsers altogether. YouTube doesn't work as is without JavaScript anyway, but one determined not to use it could just download all their videos with youtube-dl; until someone comes out with a reverse engineered Widevine or Adobe Primetime or whatever other long-i-festooned DRM systems these sites support, this plan won't work for DRMed video.


> running untrusted code in a sandbox is still running untrusted code on your machine

asm.js and various obfuscators allow websites to do this in the first place with closed-source code, with a far larger attack service than the EME sandbox. In not a lot of time from now, they quite reasonably could.


DRM and sandboxing will also be using hardware enclaves within the x86 processor, https://news.ycombinator.com/item?id=8425178


When Cameron wanted encryption to be illegal, would that mean EME would also have been illegal?


Didn't he only want encryption without a government backdoor to be illegal?

I don't really think anyone has a problem with giving the latest episodes of Homeland and Downton Abbey to our political elite.


I have a problem with giving Homeland to our political elite. How about The Newsroom?


It's not the content itself, but the list of content accessed by a user that is dangerous for the governments of the world to have.


What does Theo think?

> You are absolutely deluded, if not stupid, if you think that a worldwide collection of software engineers who can't write operating systems or applications without security holes, can then turn around and suddenly write virtualization layers without security holes.


The virtualization layer becomes a single point of concentration for both security and attack. That offers opportunities to reduce the attack surface and opportunity.

Net net, given the choice of extensive plug-ins vs. virtualization, I'll go with the latter.


Agree that eating less shit sandwich is better than eating more. But it's still a shit sandwich.


Flash for Chrome uses the PPAPI and is sandboxed.


That is a fair point, but I would also consider that a (limited) victory on par with the (limited) victory of moving from Flash to EME, and I wish it got more press. The people who are implementing sandboxes are doing massively effective work to improve the security and privacy of everyone using the web. Chrome has been quite active here and I don't think they can be thanked enough.

That said, PPAPI is Chrome-only; EME is a standard, and Mozilla's implementation even outlines a way for other browsers to integrate the EME module Mozilla uses, plus their sandbox, into their own browsers.


I think the point is that Chrome uses PPAPI for both Flash and EME.

Firefox also uses some kind of sandbox for plugins (like Flash) but yes, their planned sandbox for EME is stricter.


there is no victory here. EME is as bad as flash if not worse.People who refuse to acknowledge that simple fact are as guilty as vendors pushing these technologies.

>> EME is a standard,

That's the heart of the problem. It guarantees the fact that web technologies are not open technologies anymore.

>> Mozilla's implementation

Mozilla dropped the ball years ago when it comes to proprietary techs. I see little difference between Firefox and Chrome on that matter.


People talk a lot about "sandboxing" things as though it's magical fairy dust.


I would be shocked if Safari did not also sandbox EME just as tightly as Chrome and Firefox. Of course, Safari isn't open source, but a sufficiently knowledgeable person could locate the background process Safari uses for EME (it probably has a very distinctive name) and check what the sandbox it uses is.


And through all this effort to "protect their content", they still haven't managed to stop people from bypassing the DRM and giving the videos away for free in torrents.

I have a hard time seeing how implementing DRM provides any value to media companies, other than a false sense of security.


The purpose if DRM is not to stop people from illegally copying. The purpose is to control and manipulate the legal users and limit their freedoms they would otherwise legally.

Yes, DRM developers lie to us and claim that this is about stopping infringement. But that's only a pretense. They know that it only impacts non-infringing users. But they like having more control and power over the non-infringing users.

See http://www.defectivebydesign.org/faq#purpose


Accurate. Here are some wonderfully managed rights brought to you by DRM:

* What devices and equipment can view it

* Time limits on watching

* Regional lockouts

* Time shifted viewing

The movie industry fights tooth and nail to "manage" our rights, not just with DRM by plain RM. In NZ for example there is a ban on parallel importing films for a period after release! Here is something interesting: http://www.parliament.nz/en-nz/pb/debates/debates/50HansD_20.... Choice quote: "The 5-month ban will effectively give cinemas a further 1 or 2 months to exclusively screen films without competition.". Feast your eyes on the pandering! There is no "transition" period going on. It's the movie theatres using laws to prop up their new business model of stealing 20 minutes of your time and selling it to advertisers, after taking 20NZD admission.


It's interesting because this sounds very similar to control legislation in terms of which citizens it affects while not having much effect on criminals who, by definition don't care about the law.

I think your point is exactly correct, DRM does little, if anything from stopping illegitimate actors, but it does serve to manipulate and control legitimate users (for example preventing them from using the DRM content on certain devices, thus requiring them to potentially purchae it again.)


I know this is a popular way to frame the argument against DRM, but I have never actually seen any evidence that DRM companies actually think this way. I mean like a quote from an executive, or an internal memo, or even an anonymous statement from an employee.

I think it's a much simpler explanation that companies really do hope that DRM will reduce casual illegal copying and sharing, even though they know it can't absolutely stop determined people.


That is also the purpose of door locks btw, and I am assuming you have one of those on your door.


Wrong. DRM is a tool of the distributor against the user (remember: when you have a DVD, you don't own the content; you only have a license to view its content under certain rules. DRMs make sure you follow these rules).

The lock is a tool of the user against third-parties.


The analogous door lock on your computer is your firewall or USB autostart permissions or an encrypted hard drive.


https://www.eff.org/deeplinks/2009/04/doctorows-law

Doctorow's Law: "Anytime someone puts a lock on something you own, against your wishes, and doesn't give you the key, they're not doing it for your benefit."

A lock you have the key to is nothing like DRM.


It's not the purpose of door locks, it's the result. It's true enough that locks keep honest thieves out; the also keep the lazy ones out. Another practical result of a door lock is that it slows the attacker, hopefully enough that the occupants can react.


[deleted]


Prison locks != home door locks.

kmonsen is making the point that door locks on homes don't actually stop determined burglars. The only reason they work is because most people are relatively honest and aren't willing to take the step of breaking the lock (however trivial that may be), even if they'd otherwise happily open an unlocked door and walk in.

Not only that, but the fact that a door is locked almost certainly has legal implications for trespassers (though I don't know if that's really applicable to house door locks as much as it might be to locks on doors leading from public areas of commercial buildings to private ones).


Thanks for improving my point :-)


Corporate execs, politicians or government officials rarely look at the world with the same eyes as someone who reads HN. They belive that DRM provides value as otherwise pirating content will be rife. It is sort of built into most of these peoples world view, in a similar way that hard nosed capitalism is nearly the only viable narrative for a lot of them.


It's possible the false sense of security is worth more than people think. It lets them say "hey, we tried".


I think this is a very important point. These media companies have not been able to extract as much rent from their IP as they could ten years ago, and their shareholders are not happy about that. They absolutely have to try something.


Certain companies have been extraordinarily interested in implementing WebCrypto without mandating HTTPS. Which is to say, a man-in-the-middle attacker could trivially modify the JS that calls WebCrypto and cause different operations to be performed.

My suspicion is that they have contractual agreements with the non-technical folks in the studios that they have to "encrypt" content, and the technically-competent redistributor has no direct interest in the crypto being sound. If the API gave them 256-bit military-grade AES encryption, but only in ECB mode, they'd probably use it.


Right click -> Save As is a tad easier than finding a torrent.


Right click -> Save As is only possible after you've paid.


This overlooks what happens subsequent to the Save As, eg watching it again if you had only paid for a rental or distributing it to other people, which would be a serious infringement.


EFF's view is that we've been sold down the river with EME (Encrypted Media Extension).

Except ... that I seem to be able to access most online video content (certainly on YouTube, Vimeo, and other major sites) via youtube-dl.

And hugely prefer to do so. It's much more useful for me to be able to queue, speed up / slow down, pause, resize and otherwise manipulate video with consistent controls than to have the limited (and varied) interfaces various online video / multimedia sites offer.

I've got a video playing as I write this, well, paused, at 133% playback speed, in a small 250px x 190px window -- when I can give it my focus again I'll simply mouse over it and tap 'space' to resume playback. If I want to skip back a few seconds, or a minute, the left or down keyboard arrows do that for me. As they do for all video I play. I can also normalized audio levels (many are too low, this one's actually got a tendency to clip), and more.


The reason you can access most online video content via youtube-dl is that historically speaking, YouTube and most other Flash-based video players actually had no DRM at all. Flash's DRM support was crappy, unreliable and expensive to license and few places used it. I think I've literally come across one site that used their proper DRM, at which point I discovered it didn't actually work on my PC. (A handful more use RTMPE, which is hilariously broken but enough to block youtube-dl out the box.) DRM's becoming a lot easier with HTML5, and a bunch of sites that didn't previously have robust DRM are now planning to start using it.


If you are going to use unauthorized methods to gain content, there is many convenient ways to do so. Most are not effected by DRM.

The issue with DRM on video is one which lawful consumers of content has to deal with, and those who run programs which is infected by said DRM.


Um. Who elected you god and decided youtube-dl is "unauthorized"?

I was actually inquiring as to how such use is impacted by the decision. I've found few or none. Then again, there's little commercial content I've interest in regardless.


belorn probably figured the terms exclude it, I was curious and checked - seems so. Maybe they've authorized your method specifically somewhere though?

http://www.youtube.com/t/terms You agree not to access Content through any technology or means other than the video playback pages of the Service itself, the Embeddable Player, or other explicitly authorized means YouTube may designate.


Yeah, well, I never confirmed the terms. "By using it, you agree …" is not a binding contract in Germany.


Nobody claimed it was a contract violation, or even illegal, just that it was not authorized by YouTube's TOS.


The first comment actually just said, that it was "unauthorized". By creating a website and making it available on the WWW, you implicitly authorize the user to use a browser to access the website. Which form of browser the user chooses is none of your business. All browsers are therefor always authorized, if you do not restrict the access yourself.

Of course some basic laws have been added since the birth of the web. You are not allowed to flood a site with requests and so on. But the principle that browsers and websites are separate entities still applies.

If you want full control over your users clients, create your own protocol and your own client. As long as you use open protocols on the web, you implicitly agree to the contracts of the www and have to live with the fact, that the user chooses his client.


> By creating a website and making it available on the WWW, you implicitly authorize the user to use a browser to access the website.

By default, yes, but if you then explicitly override that with robots.txt or a TOS, those take precedent. (Again, I'm not talking legally here, just what's been the cultural custom for the past 20 years or so. In other words, if you ignore either and then get banned, I don't think many netizens would shed a tear for you.)


YouTube could do so, but I would argue, that not the user but YouTube behaves as a bad net-citizen then.


In Sweden, there was a famous case in which this premise was tested. A cable channel gave out a public accessible web link to customers after payment, which then got naturally shared. The cable channel sued the person who shared the link, arguing that it was copyright infringement since it allowed unauthorized users to access the site (case called Canal Plus-fallet). The defense argued that since there was no restriction added to the site, that that meant it was public.

The court went with the side of the cable company, even if many commentates disagree. What effect a Swedish case can have on German law depend, but using European court case as guides is quite common in Swedish courts if there is no other prior cases. Same might apply for German courts.


That is unfortunate. I think from a technical point of view, my interpretation of the "laws of the web" are true. What courts decide is an other story.

It is part of the bigger problem, that courts do not understand every aspect of our complex society and have to listen to experts, which just defers to problem to the election of these experts. You do not want to give them the power either, because they are easier to lobby than justices.

I just hope, that a generation of justices and politician arises, that understands basic principles the web is built on. Like links, that give the web its name, and how they work, who can control them and so on.


The US Supreme Court has also cited EU court cases.


youtube's terms forbid the use of unauthorized third party programs to access their services.

check out number 5.

  Content is provided to you AS IS. You may access Content 
  for your information and personal use solely as intended 
  through the provided functionality of the Service and as 
  permitted under these Terms of Service. You shall not 
  download any Content unless you see a “download” or 
  similar link displayed by YouTube on the Service for that 
  Content. 
The problem is youtube has so many third party applications working with it, that it's smarter for them not to do anything about it.

I'm thinking it's the photoshop theory of DRM, just enough to ward off grandma, not enough to prevent photoshop from being replaced as the dominant image manipulation suite.


You don't need to be elected or a god to read the YouTube TOS.

Note that the claim was not that it's illegal or unethical or wrong, simply that YouTube itself (rather explicitly) declares that they don't authorize this use of the site.


I distinctly remember being upset about DRM in the '00s, back when it was being used to place onerous restrictions on content that people had ostensibly "bought" (CDs, DVDs, AAC audio files, etc.). Now that it's being used to prevent people from saving streams... I hate to say this, but please remind me why I should be upset? I never had any illusion of "owning" a stream. Not only that, I would rather stream than own in most cases.


Because it's a lot harder to make a competing web browser now. You'll have to buy the secret binaries from one of the DRM providers, if they'd even be willing to sell.


Firefox, which is open source, both sandboxes the Adobe decryption module—giving the browser control over the world that the Adobe module sees—and fetches it at startup from Adobe's site. It seems almost impossible that you'd be unable to hit the same URL from your own browser and put it inside your own sandbox such that the module can't tell it's not running inside Firefox. You have the hard constraints that the module can't examine the outside world except through the sandbox, and the sandbox itself is open source.

Edited to add: Widevine, the (Google-owned) decryption module Chrome uses, has no license fees. http://www.widevine.com/


As an actual example of the problem, there are millions of PowerPC Macs out in the world that run perfectly adequately with Linux and are capable of playing HD video. Is the opaque binary blob hardware-independent?

If it is then I can't even imagine what its purpose is supposed to be. If my "hardware" is a virtual machine that captures the video output to a file then the blob isn't even doing anything. And if it's not hardware-independent then there are obviously going to be innumerable minority platforms that it doesn't support.


I think they have given up to prevent you from capturing the output. The binary blob does decryption and decoding in one step, which prevents you from replaying the compressed stream.


I don't understand how that is even supposed to be useful. The output is still digital HD video. The higher the quality of the video the fewer compression artifacts there are going to be and the less having to re-encode once will make any difference whatsoever. And it would only have to be re-encoded once regardless of how many times it's played back or copied subsequently. If they're hoping for some kind of VHS-style degradation of the video quality they obviously haven't actually tested it.


"there are millions of PowerPC Macs out in the world that run perfectly adequately with Linux and are capable of playing HD video"

I think you might be too optimistic on this one.

Not to mention most of these are probably running with 512Mb to 2GB RAM (G5 iMacs go to 2GB, PowerMacs to 8GB, some go to 16GB)


I suspect you could coax 720p out of a 1GHz+ G4 if the code was sufficiently optimized -- another obvious problem with putting the video decoder in a black box.

But more importantly, the point is not the exact quantity of particular models of PowerMac in existence, the point is that if I have one which is otherwise capable of it, this nonsense interferes with me doing it.

And the same goes for every other thing that doesn't fit a mold. What about Linux on a PS3? What if I have a PA-RISC/Itanium/Power/etc Unix workstation? What if I'm using X forwarding so that my "browser" is really running on an UltraSPARC server?

It breaks anything the central planning committee didn't contemplate a priori or can't be bothered to fix. And it's not just old hardware, it's anything new or different. It keeps new platforms from getting off the ground.


For Widevine, it looks like the following would be required:

    Completion of legal agreements
    Delivery of a Widevine documentation package
    Technical discussion to understand the device type, chipset, and review the Widevine robustness rules
    Exchange of libraries, SDKs, and integration documentation
    Keybox request and fulfillment (as needed)
    Client integration testing
For piggybacking on the Firefox binary, maybe that would work but sounds like something you might get a cease and desist for.

Anyhow, if everyone agree to make the binaries 100% free as in beer (like Cisco did with H.264), then that's better than nothing and makes writing new browsers easier.

But the future is in new devices, operating systems, and virtualization. Being provided binaries limits freedom to make new things. And of course who knows what backdoors are in them.

(Edit to add: this is a great discussion, http://www.reddit.com/r/debian/comments/25kbi7/next_firefox_... -- note that the tracking/privacy/backdoor issues with this are huge.)


Openh264 from Cisco may be free as in beer but as it only supports the baseline H.264 profile it's effectively useless.


> fetches it at startup from Adobe's site

Source?

Anyway, even if you can download and sandbox the Adobe module it might be a violation of the license agreement. This can even be a criminal offence in many countries because of special laws about circumventing DRM!

What about operating systems and hardware platforms not supported by Adobe or Google? PowerPC, MIPS, Tizen, *BSD, etc.


It's a convoluted process, but Firefox pings the update server, which returns a list of proprietary blobs to potentially install.

It looks like this with Cisco's OpenH264 plugin and Adobe's CDM: https://aus4-dev.allizom.org/update/3/GMP/36.0a1/20120222174...


To make matters worse: Three of the four major browser vendors are also DRM vendors. Google, Microsoft, and Apple all have their own DRM modules. EME therefore gives them a lot of control over the browser market and media market.

Four of them are also working on their own mobile devices/OS. Which gives them even more incentive to lock out competition.


I'm not a fan of DRM, but I don't find this argument very convincing. It's pretty much impossible for anybody to create a new mainstream browser at this point. The standards are huge and complex and require seriously optimised implementations to get acceptable performance.

Which is why we only have a handful of competitive browser engines today, and all of them are based on code at least 15 years old. The last time somebody created a serious new mainstream browser (that wasn't just a re-skin of an existing one) was 7 years ago, and it was still largely based on existing code, despite having the backing of one of the biggest tech corporations on the planet. The standards have become vastly larger and more complex since then, and security and performance expectations much higher. Just keeping up with all the new standards is hugely expensive. The cost of a DRM module from Adobe is surely the least of your worries if you want to create and maintain a new browser.


> The last time somebody created a serious new mainstream browser (that wasn't just a re-skin of an existing one) was 7 years ago, and it was still largely based on existing code, despite having the backing of one of the biggest tech corporations on the planet.

We're working on one (Servo) :)


And we are working on another (gngr) :)


It is a hard problem to crack, we should give up.


The basic principle that we have lost is that the standardized part of the web has always been fully open. You can look at the source of any page, figure out how some cool CSS or javascript trick works and copy it. You can download any image you see and modify it. This in contrast to, for example an iPhone app, it's closed, unmodifiable, secret, hostile to tinkerers. Flash video was closed but it was not a web standard, this is.


First, it is simply not true that the standardized parts of the web have been fully open. There have been scores of proprietary features, including those with no source availability or even documentation, that have become web standards because browser vendors built or reverse engineered them and web developers used them.

Standardization is a good thing, but you're being a bit selective claiming web standards have always been open and source available. It doesn't always happen that way. It didn't happen that way for image codecs, for example.

Second, plug-ins most certainly are and have been a Web standard.

NPAPI was implemented in multiple browsers from multiple different vendors and has been used by dozens of major software companies and thousands of lesser companies, commercial and open source, for browser integrated features.

That you don't consider de facto standards to be standards doesn't mean they aren't.


Somehow this reminds me of my long running rage against all things webapp and javascript. Companies have started using the browser as a substitute for an OS because it is easier to distribute working code to multiple platforms on a browser. So what do the drm people target now? The browser: aka operating system 2.0. And the thing that is scary is that people don't realize this and think "oh, its just W3C, its just a single program on my computer, they aren't really attacking general computation!" Spoilers: browsers act as virtual machines for probably 90% of all calculations that run on an average pc these days.


Adobe got Flash (once one of their main products) wrong on the security side so many times that we can't even keep count anymore. Let alone the horribly bad performance of flash and the hack-slack way they added features. Why on earth would anyone want to trust this company to build another proprietary blob of their sub-par code into all browsers? They've proven to be incompetent in many attempts, let's not give them a 32nd chance.


To be honest the W3C was between a rock and hard place here as all the other alternatives on the table were worse than this. If they had dug in we would have ended up with 2-3 proprietary DRM standards across the browsers or Flash would have lived on. Both are worse outcomes.

As for "the open web", nothing changes. Content that was DRM free will continue to be DRM free, content that wasn't DRM free will still remain DRM. If anything we are slightly better off as one more proprietary has bitten the dust.

As with a lot of things, the next steps aren't technical. Organizations like the EFF should be working with content providers to educate them on the benefits of being DRM free. A much harder task than firing off press releases.


> If they had dug in we would have ended up with 2-3 proprietary DRM standards across the browsers or Flash would have lived on. Both are worse outcomes.

You're wrong about this. That is an excellent outcome. Large companies want the universal application that free software enjoys, but with none of the respect for the users it requires.

I have absolutely no problem with companies having huge problems locking users in. If we had 2 or 3 proprietary standards to implement DRM that things worse for users, that's a good thing.

"Why is this so hard to do?" The answer should be: "We refuse to make such abhorrent behavior easy", rather than: "It's not"

Making it easy for vendors to dick users over is a bad thing.

Making DRM easy to deploy damages the open web in a very bad way.


I think this article seems to act as though ditching flash just happened to coincide with adoption of this new EME thing. The issue is that no matter how much we kick and scream about user freedom, business interests are business interests. Economics are economics. There just isn't enough user demand for freedom to overcome the loss to businesses of losing control of their content. In order to win this, I think we may need to come to terms with this. Perhaps it means trying even harder to inform the public and increase demand for freedom, but maybe it means coming up with alternate ways to monetize, or alternate ways to produce which circumvent the need to monetize.


This is a misrepresentation of the problem here. You're restating the corporate arguments.

> There just isn't enough user demand for freedom to overcome the loss to businesses of losing control of their content.

DRM doesn't prevent businesses losing control of their content. Orange is the New Black has, AFAIK, only ever been distributed through EME, but it's all over the Pirate Bay, every single episode.

> maybe it means coming up with alternate ways to monetize

We have alternate ways to monetize. The simplest being doing exactly what they are doing except not DRM-ing their content, which demonstrably has worked for multiple content distributors. There are others.

DRM isn't about controlling content or monetize that content. It's about maintaining an outdated business model because business executives don't understand the internet. Which would be fine, except that it's hurting the open web.


Orange is the New Black has, AFAIK, only ever been distributed through EME

This isn't even close to true. Netflix has a ton of non browser delivery mechanisms. It may only have been delivered with drm but that's a different thing and I don't know enough to know if that's true.


> This isn't even close to true. Netflix has a ton of non browser delivery mechanisms. It may only have been delivered with drm but that's a different thing and I don't know enough to know if that's true.

Maybe that’s a bad example. But I’ll put out this challenge: find me a reasonably popular TV show that’s supposedly completely covered by DRM, and I’ll find you a torrent for it. My point is that DRM does nothing to prevent piracy.


You keep telling that to yourself, and yet the businesses go out of their way to do something that you're so sure doesn't do them any good. Do you really think they're stupid? Do you really think they are wasting their energy, to support a system that possibly even hurts their bottom line? Are you in the entertainment industry? Do you know better?

I'm not saying they can't be stubborn. But I have a trouble believing that as outsiders we can really see all of the factors involved in these business decisions. Maybe there are different levels of sophistication from this camp, but I also remember people saying that piracy would actually help CD sales because it spread the word about artists. How many platinum records have there been in the last 5 years? I'm inclined to think there's something at play here, something that really hits their bottom line, that we're not considering. "Business people are stupid", while possible, is a hard line to swallow, they didn't get rich by being stupid.


> You keep telling that to yourself, and yet the businesses go out of their way to do something that you're so sure doesn't do them any good. Do you really think they're stupid? Do you really think they are wasting their energy, to support a system that possibly even hurts their bottom line? Are you in the entertainment industry? Do you know better?

I’m not saying they’re stupid. I’m not even saying that the insistence on DRM is stupid, I’m just saying it’s wrong. It’s an understandable mistake—it’s hard to understand the capabilities of the internet.

> Maybe there are different levels of sophistication from this camp, but I also remember people saying that piracy would actually help CD sales because it spread the word about artists. How many platinum records have there been in the last 5 years?

This is a completely irrelevant point. Of course piracy hurts sales. But DRM doesn’t solve this problem, and I see no purpose pretending that it does.

I’ll be happy to revise my opinion if a DRM scheme emerges which actually works.

> I'm inclined to think there's something at play here, something that really hits their bottom line, that we're not considering.

Well, yes. There’s something else at play here, which is that having closed-source access is useful to corporations for reasons that have nothing to do with DRM. For example, having more closed-source access to users’ machines means that they can collect more data on their users without their users knowing.

Yes, there are things we don't know, but it's a pretty big leap to assume that these unknowns are good reasons to concede on an open web. If there are unknown reasons that companies want closed internet, there is nothing stopping them from presenting those reasons in the court of public opinion. I suspect the reason they are fighting the DRM issue is that it comes across as defending artists' rights, and the real reasons companies want to run untrusted, unaudited code on our machines are things you'd feel less sympathetic about.


> It’s an understandable mistake—it’s hard to understand the capabilities of the internet.

It wouldn't just be a mistake, it'd be a mistake followed by an industry-wide refusal to admit to the mistake, over and over again. I suppose iTunes could be a counterexample, but (from a brief search) the DRM-free stuff is for music. I think movies still have it.

> This is a completely irrelevant point. Of course piracy hurts sales.

Sorry, sometimes I gloss over things and my point doesn't get across properly. I know this is irrelevant to the current point. What I'm bringing up here is another claim I remember hearing from a camp that claims to know better than the music industry executives. Perhaps it's unfair to lump you all together, it's just part of why I'm skeptical to hear this stuff now.

> Yes, there are things we don't know, but it's a pretty big leap to assume that these unknowns are good reasons to concede on an open web.

Probably me being unclear again. I didn't say we should concede on an open web. When I talk about "good reasons", I'm talking from the executives' point of view. It sounds like you're talking about some sort of universal good. I'm saying that there's what we want, which is an open web, which we shouldn't give up on, and there's what they want. All I'm talking about is understanding our opponents' incentives, and not assuming too quickly that it's just based on them making a mistake.


> When I talk about "good reasons", I'm talking from the executives' point of view. It sounds like you're talking about some sort of universal good. I'm saying that there's what we want, which is an open web, which we shouldn't give up on, and there's what they want. All I'm talking about is understanding our opponents' incentives, and not assuming too quickly that it's just based on them making a mistake.

Okay, it sounds like we're vehemently agreeing with each other.

The thing is, these executives have done a very good job of controlling the discourse and making this a conversation about content ownership. But the fact is, there are only two possibilities here: 1. They are actually so stupid that they don't know DRM doesn't protect content ownership (which, I agree, is unlikely) or 2. They know that DRM doesn't work, but they don't want their real reasons for gutting the open web to be publicly known.

What I want to do is make the conversation not about DRM any more, because it's clearly that DRM doesn't work. Given that, we should look at the possibilities for why companies might want EME on our computers. And you don't have to look very far into those possibilities to see that they're really scary, which underscores the need for a truly completely open web.

In short, the DRM conversation makes companies who want to run their untrusted code on our machines as harmless idiots who just think that DRM will help their sales. But they aren't idiots, and they aren't harmless.


Is Netflix an outdated business model? Because it's not possible without DRM. Is any sort of video rental or subscription model outdated? And why is it outdated? DRM may not be able to provide 100% ironclad copy protection, but it provides roughly the same level of copy protection that video rental has before, probably better if you're comparing to VHS or DVD.

The idea that any sort of rental arrangement for video content is "outdated" reflects your own wishes, not the facts on the ground. The technology exists to provide good enough guarantees for the content providers, and it remains a popular choice with consumers. You're right that pirates have figured out how to break the DRM on Orange Is The New Black and distribute copies of it. What they haven't figured out is a new business model where consumers buy the majority of their content a la carte rather than getting much of it from subscriptions (Netflix/Hulu/Amazon type subscriptions or cable/satellite subscriptions) and rentals and theatrical exhibition.


> Is Netflix an outdated business model? Because it's not possible without DRM.

[citation needed]

> Is any sort of video rental or subscription model outdated?

I’m not sure why you’re asking me that, I never said that.

> And why is it outdated?

Because DRM does exactly nothing to prevent piracy, and hurts users.

> DRM may not be able to provide 100% ironclad copy protection, but it provides roughly the same level of copy protection that video rental has before, probably better if you're comparing to VHS or DVD.

And how much copy protection is that?

Here’s a fun experiment: go on The Pirate Bay and search for Orange is the New Black, then tell me how effective you think DRM is.

Piracy is far easier now than it was in the VHS or DVD eras. In the VHS or DVD eras you at least had to have some access to a controlled version of the content in order to copy it. Now you can go on a torrent site and search for something you’ve never heard of and people you’ll never meet will serve it to you for free.

So no, DRM does not provide roughly the same level of copy protection as video rental.


Interestingingly it seems Youtube is still using Flash in its pre-roll advertisements unless I'm missing something obvious. Those videos get the 'f' from flashblock and won't view unless it is enabled.


It's a little weird that the EFF is using YouTube's move to HTML5 video by default to attack EME, considering that YT doesn't require EME...

(Yet, anyway.)


It's maybe to point out some of the irony of "Hey, let's accept another proprietary blob from Adobe" when it's not even needed anymore now.


I hear what the proponents of non-DRM browsers are saying, but for media streaming companies content is their bread and butter. I am not sure what the alternatives are.

Content providers will stick with technologies like Flash because HTML5 alone could not provide EME. Lack of such feature set HTML5 backwards because huge content providers would shy away from using web as the dominant platform of media delivery.


> I hear what the proponents of non-DRM browsers are saying, but for media streaming companies content is their bread and butter. I am not sure what the alternatives are.

The alternative is non-DRM browsers. EME does nothing to protect content, so the "content is their bread and butter" argument doesn't work.

> Content providers will stick with technologies like Flash because HTML5 alone could not provide EME.

Or, they'd give up on EME because all the major platforms were hostile to it and it provides them no defensible value.

> Lack of such feature set HTML5 backwards because huge content providers would shy away from using web as the dominant platform of media delivery.

Including EME sets the web platform back because we no longer have control of that part of our browsers.


> Or, they'd give up on EME because all the major platforms were hostile to it and it provides them no defensible value.

That's absurd. Netflix would sooner stop supporting web browsers on desktop OS's before they started allowing DRM-free streaming. Regardless of your own view on DRM, Netflix's licenses to the content they provide almost certainly requires the use of DRM, and the companies that own the content would never be willing to relicense them for DRM-free streaming.

Without EME, Netflix would be relying on proprietary browser plugins forever, and if a platform with a significant userbase appeared that didn't support any form of proprietary plugin, and they wanted to support that platform, they'd develop their own proprietary application for it instead of providing DRM-free streaming (think of how Netflix has applications for mobile OS's and even consoles, both living room consoles and handheld consoles).


> the companies that own the content would never be willing to relicense them for DRM-free streaming.

Don't be so sure. People were saying exactly this several years ago about music. We owe it to Jobs that he realized it's stupid idea, and put an end to it.

> they'd develop their own proprietary application for it instead of providing DRM-free streaming (think of how Netflix has applications for mobile OS's and even consoles, both living room consoles and handheld consoles).

That seems better to me, than poisoning a whole standard just to get their way, or the highway.


That's purchased music.

You don't rent out stuff and let people keep it after they stop renting.

> That seems better to me, than poisoning a whole standard just to get their way, or the highway.

The open web has been losing a lot of traction to a closed competitor on iOS and Android. Businesses in China are on WeChat long before they are on the web. Giving up streamed music and video completely to apps would damage the world wide web immensely by shifting more user to over to closed app systems. The web would go the way of the newsgroup.


> The open web has been losing a lot of traction to a closed competitor on iOS and Android.

The open web lost a lot of traction to a closed competitor when it integrated EME.

Your argument here is basically "companies won't use the open web, so we shouldn't have an open web".


> Don't be so sure. People were saying exactly this several years ago about music.

Music and video have always been very different markets. Among other things, music has always been available in high quality form without DRM (on CDs). And the consumer habits around music are different than those of video. And as wodenkoto said, we're talking here about streaming video, not purchased music


"We owe it to Jobs that he realized it's stupid idea, and put an end to it."

Don't buy into this nonsense Jobs sainthood. He was a person who went whichever way the wind was blowing.


Does support for plugins poison web standards?


>Without EME, Netflix would be relying on proprietary browser plugins forever

And they should! They distribute proprietary software, so they should be able to deal with relying on other proprietary software.

This idea that we must sacrifice the ideology of the web for the benefit of large corporations like Netflix is completely insane.


The idea that the existence of EME somehow destroys the rest of the web is completely insane. Remember, NPAPI is a web standard, so we've already had the existence of closed-source proprietary binary blobs as part of web standards for many years. EME is a huge step forward.


> That's absurd. Netflix would sooner stop supporting web browsers on desktop OS's before they started allowing DRM-free streaming.

So let them, and let a competitor arise that allows a similar service with DRM-free streaming. That's what the free market is for. I'm not sure why implementers of the open web should care about Netflix's concerns.

> Without EME, Netflix would be relying on proprietary browser plugins forever, and if a platform with a significant userbase appeared that didn't support any form of proprietary plugin, and they wanted to support that platform, they'd develop their own proprietary application for it instead of providing DRM-free streaming (think of how Netflix has applications for mobile OS's and even consoles, both living room consoles and handheld consoles).

So let them do that and suffer the consequences of the inferior user experience that would provide.


What makes you think it's even possible for a competitor to arise with DRM-free streaming?

The reason you don't see any DRM-free video streaming of non-independent content is because the content producers require DRM. They won't license their content without it. It's quite literally not possible for a DRM-free Netflix competitor to arise, because they'd have no content (or at least, no content worth watching).


The content producers, not the distributor Netflix, insist on DRM. If Netflix is streaming the same content to a native application instead of a browser, they will have the same DRM requirements.


> I hear what the proponents of non-DRM browsers are saying, but for media streaming companies content is their bread and butter. I am not sure what the alternatives are.

And the DRM does absolutely nothing to stop anyone from doing whatever they want with it. DRM punishes paying customers at the expense of being a slight pain-in-the-ass for pirates. Plain and simple: they delivered content to my computer and I have a key to decrypt it - there's nothing stopping me from doing whatever I want with those bits but the time to break their silly DRM scheme.

Had Apple, Google, Netflix et al. the backbone enough to stand up to the media companies, we'd never have been inflicted with such stupidity. Now, Google's taking it upon themselves to start using their own DRM module with their own media - so much for the company that prided itself on Do No Evil.


How is that punishing a paying customer?

It's a quirk of classical information theory that you can't transmit a piece of data for a limited period of time. As an approximation, they apply a silly DRM scheme that takes time to break, and ask customers if they are willing to pay for time-limited access.

Unlike with DRM on music downloads or (worse) physical copies of software or games, there's no expectations mismatch here. If you sell a download, the average buyer expects to be able to copy that download, etc. If you stream a movie, the average buyer no more expects to be able to retain a copy than the average movie-ticket holder does. They didn't think they paid for a copy of those bits for all time.

There's nothing stopping someone who visits a movie theater from doing whatever they want with those photons, other than the time to build a sufficiently concealed camera, is there? And pirates do show up to movie premieres with concealed cameras... but would you argue that the security guards stopping you from carrying in a giant camcorder are "punishing paying customers" while not effectively deterring pirates?


How is that punishing a paying customer?

If they paying customer would pay anyway, it is punishing, because it requires that they: are limited to the set of browsers that support the DRM scheme, are limited to the platforms that the DRM scheme is available for, and perhaps most importantly, the content provider can dictate rules that may not considered to be entirely fair. E.g. Netflix makes it impossible to temporarily download a copy to view when you don't have a (high-bandwidth) internet connection (e.g. those of us traveling a lot outside their country).

Also, if DRM was not supported by the technology companies, it would be more attractive to come up with a form of subscription that would offer both streaming and downloading.

'Pirating' doesn't have all these downsides.

Of course, on the flip-side for many people DRM-ed 7.99 p/m streaming services are more price-effective than the previous 7.99 per album DRM-free purchases. But you may be left out if you run FreeBSD or Linux on non-x86_64.


    How is that punishing a paying customer?

You must be young, forgetting about formats like WMV or WMA where you couldn't open the file without the proper license installed on your computer.That's what DRM is about.And of course you needed to log to a server regularly to renew the license, or you couldn't listen or watch the media anymore.

Just like games, pirates don't have issues with online license verification,since they play pirated games that got rid of them.

Obviously vendors did a nice job not only brainwashing the legislator but also the client.


I remember those formats clearly! Online streaming seems like a very different sort of thing, is my point. When you have a DRM-locked download, you expected to have an unlocked download. When you have a DRM-locked stream, did you expect to hold on to the stream in any form?

I think that we are remembering "DRM" from the days of DRM'd downloads, which was a terrible thing, and applying that memory here where it does not fit.


Great argument. One point, though: it's "Don't be evil." Are you able to say you "do no evil"?


Over thousands of years of human history, new technologies have changed the ways people communicate, from language to writing to the printing press, and so on. Every change shifted the economic balance, so things that once were prohibitively expensive became easy, and people who derived economic benefit from former scarcity became disadvantaged.

I hear what the proponents of DRM-encumbered browsers are saying - media streaming companies control huge chunks of our popular culture, and significant political power, and it's expedient to give in to their demands and stop threatening their business model. But when I look back at the last thousands years of technological progress, I cannot bring myself to say "yes, this is good enough. We should legislatively freeze our technology at early-21st-century levels forever." Our civilisation has benefited from technology so much already, I can't in good conscience deny people the benefits of future technology, even in exchange for the right to stream Game of Thrones.


Media producing companies that have no way of safeguarding their revenue stream would like the technical threshold for copying to be at least a minor deterrent, because otherwise people have no incentive to pay them; many many people are in fact OK with being freeloaders.

I'm so sick of seeing Game of Thrones offered as the standard example. Sure, HBO has more more money than any of us would know what to do with. I, on the other hand, make my living working on films with budgets that only amount to a few hundreds of thousands of dollars, and believe me that does not go very far - the lower cost of digital vs. celluloid film is only one line item in the production process, whereas you still have to pay for locations, costumes, props, housing, transport, food, lighting, and a whole bunch of other things before you even get to handing out any wages.

It's very, very hard to monetize a low-budget film. And there's constant downward pressure on production budgets, because indie films don't usually have fat box-office payoffs, and instead depend on small-scale releases in festivals and the art-house cinema circuit, followed by (you hope) some international box office and (you really hope) a long tail of DVD/streaming sales. And that long tail is highly vulnerable to piracy, and the existence of piracy is a big deterrent to investors.

So when you're saying Big Studio makes enough money with their latest superhero franchise movie, or HBO makes enough money with their huge base of cable subscriptions, and so you don't feel bad about pirating Superhero 4 or Game of Thrones well sure, I understand that - none of the producers are in any danger of losing their shirts, everyone on the cast and crew got paid handsomely at the fairly generous rates their guilds/unions have negotiated over the years, and the shareholders still make plenty of money and get a nice dividend check every quarter.

On the other hand, lots of smaller content providers are getting fucked financially because it's a lot harder to answer the question of 'how will investors make their money back?' than it was a few years ago. So spare me the stereotypes of evil media barons trying to stop the brave plucky technological underdogs. That same technology is also massively disruptive to creative professionals and small businesses that work outside the Big Media tent, and actively hinders their ability to make a living.


I'm not saying that HBO is rich so it's OK to pirate their stuff, I believe the entertainment industry as a whole, from Big Five studios down to indie filmmakers, is no longer viable -- at least in its current form. Previously, duplicating a creative work was labour- or resource-intensive, so comparatively few entities could attempt it, and the effort required to police them was small compared to the economic and cultural gain. Now, duplicating a creative work can be done at the twitch of a fingertip, by anybody, anywhere, anytime. As a civilisation we could spend the time and effort to police such things, but I'm not sure it would be worthwhile.

As you point out, it's already hard to monetize a low-budget film and it's not getting any easier. But that's not because people are freeloaders or because they refuse to allocate their resources responsibly (although both may be true). Ultimately, the real problem is that the world changed, and things that had been difficult became easy. We can't put the genie of general-purpose computing back in the bottle, and I think it would be irresponsible to lock it down in its current state. The only reasonable alternative is to move forward: this will mean a great economic upheaval for artists, just like the invention of the printing press and recorded music and television were, but I don't think that's a deal-killer. Humans have been creating art, with or without economic recompense, for thousands of years, they're not going to stop now.


Duplication is only one half of the economic picture. You don't need to explain to me how the costs of duplication have fallen to zero, but I would like you to address the fact that the fixed costs of creating something people want to duplicate are very far from zero.

Humans have been creating art, with or without economic recompense, for thousands of years, they're not going to stop now.

And for the longest time art was the preserve of the wealthiest segment of society that used it as means of keeping the population in line. The idea that people who work in the arts should not be allowed to use technology to monetize the product of their labor is a bunch of self-serving bullshit. Nobody is entitled to have an artwork they produce become successful, but if it does become successful (in terms of people wanting to watch/listen/read) then they're entitled to something in return for the utility their product has provided to the consumer.


> I believe the entertainment industry as a whole...is no longer viable"

How do you rationalize the movie industries increasing year to year profits with the idea that the entertainment industry is no longer viable?

https://www.techdirt.com/articles/20140328/11442826721/pirac...

Although I don't have numbers, it is my impression that many more musicians / songwriters are making a full time living at their music than in the past. In today's world it is a lot easier to 'go at it alone'.


> How do you rationalize the movie industries increasing year to year profits...?

OK, so "no longer viable" is perhaps a bit of hyperbole. Perhaps a better word would be "doomed", which is to say that the economic axioms it was built on are no longer as firmly true as once they were, so the industry cannot continue in its current form indefinitely. It may continue for a little while from sheer momentum, and until the future becomes more evenly distributed, and it may eventually reinvent itself (and I hope it does) in a way that is sustainable under these new conditions, but something's got to change.

> Although I don't have numbers, it is my impression that many more musicians / songwriters are making a full time living at their music than in the past.

My impression is that a lot of these musicians and songwriters are finding fans over the Internet, playing small venues and touring small areas, with maybe the help of a manager or two. When most people think of a phrase like 'rock star', they probably imagine someone who finds fans by paying for lots of radio play, who fills stadiums and tours the world with the help of a giant record label who might have hundreds or thousands of artists signed to it. When I say 'the entertainment industry is doomed', I'm heavy on the 'industry' - the giant record labels, the world tours and saturating advertising are doomed because digital reproduction puts a cap on how much money can be extracted from a particular recording. These musicians and songwriters you talk about have already figured out how to earn a living in the post-Internet era, and I hope they can serve as an example to artists in other media who currently believe that the existing industry must be propped up indefinitely so they can earn a living.


It's far, far easier to record a song or even an album than it is to make a movie. The former is something you can literally do alone in your bedroom with a fairly modest outlay on equipment, if you're willing to work on the craft of sound engineering or team up with someone skilled in that area if your main skill is as a musician/songwriter. Of course it's not the same as going to a studio with outstanding acoustics and great session musicians etc. etc., but it's very feasible nonetheless.

Making a movie is simply not something you can do on your own - it's orders of magnitusde more complex and expensive, in both time and dollar terms. Also, you can't make money on live performances or merchandising swag in the same fashion that musicians do; it's not impossible to build other streams of revenue besides ticket/rental channels, but it's a lot more difficult and the ancillary revenue potential varies enormously with the subject matter.


Thanks, as someone outside the media producing business, I found this very interesting to read.

I often like to think that we don't really need big budget productions; sure, they're fun but they are stifling our culture with marketing, big name actors, risk/controversy-free scripts.

Distribution is the other big problem. The internet has changed/balanced things and it looks like DRM is just attempts to curb that.

My sincere questions for you:

In the end, do you consider DRM good for you?

Also, aren't you afraid that if we keep going like this, with DRM embedded in our OSes and processors (with no alternatives), we will soon reach a point of no return? I'm talking App-Store like distribution, where they get 30% and handle everything for you, even what you're allowed to say.


I consider DRM a slight net positive - not because it prevents copying, but because it makes it somewhat inconvenient, and thus provides an economic incentive to use a commercial service, where the DRM is implemented transparently.

No, I'm not afraid about the OS thing to be honest. In ~30 years of using computers the trend has continually been in favor of openness, and I think anxiety over DRM taking over OSes and CPUs is wildly overblown, and largely a psychological projection of sociopolitical anxiety.

I'm talking App-Store like distribution, where they get 30% and handle everything for you, even what you're allowed to say.

Well it's not like the existence of DRM means you lose the ability to give it away in another format if nobody wants to publish it on a commercial platform. This, too, is continually getting better in historical terms, and it's an issue I care very much about personally.


"Piracy is a service problem." -- remember that? There's nothing on Netflix you can't download illegally. People would pick Netflix still because it's a superior experience to what most people perceive as shady sites.

This has always been so with DRM: the only ones it inconveniences are the paying customers. Incredible stupidity.


I use Netflix every day. The DRM doesn't inconvenience me at all. I'm sure someone will be along in a minute to tell me they have to go down a salt mine and they won't have any internet down there and it's such a tragedy that they won't be able to finish watching the thing they started watching on Netflix because stupid DRM.

Sorry, but those are bullshit first world problems. Your life is not significantly impacted by this.


My wireless network is very slow in my bedroom. Also there's often no internet connection on most railway lines in Germany. So we aren't just talking about going down a salt mine.


Like I said, first world problems. You can upgrade or move your wi-fi router. The idea of internet on a train was practically unheard of a decade ago. I'm sorry, but I don't think that being able to watch a movie is so important in every situation that DRM is intolerable, even though I'm a filmmaker.


It's certainly not intolerable to not watch movies on the train, but it's inconvenient. I spend a significant chunk of my time on trains every week where I can watch movies. And due to DRM the illegal product is superior. Guess what people are doing? I've never seen anyone watching Netflix, but I see VLC on a daily basis. It's a service problem.


I mostly see people reading, or texting, or trying desperately to keep their eyes closed.

You're not the first person to claim this, so I have to wonder: is there an unspoken guideline for finding the "DRM-free video watchers car" where I can hang out with these VLC-using folks?


Took the train home yesterday and was sitting behind someone watching a movie. I couldn't connect to the trains Wi-Fi, though I tried the whole trip :(. I really wish I would have brought a movie to keep me company rather then watching their login page load.


Sometime not being allowed to conveniently do something is good for the brain and the body. Here in China YouTube is not convenient and going to MacDonald is not either. And tv is shit. Do we do not have connected the tv at home, eat white rice with veggies and pork, drinking green tea. As a result I an quite fit and in good health, and I have plenty of time for my side projects even with a daily job and two kids (three soon).

So, reading about your no netflix in the train inconvenience, I thought: what a great occasion to read plenty of books, or a handful of long and important books that make you a better/finer human being (e.g. Proust).


I'm not sure what the benefit of HTML5 video is if you still end up being forced to use some proprietary component. You ditch Flash but now you have to run some DRM software.

And there's so much more to HTML5 than video; I disagree that lack of DRM video support would set the rest of HTML5 back in any way.

EDIT: I guess the sandboxing aspect of EME is a significant improvement over Flash running as a plugin.


The benefits of html5 video are practical ones: it simply works better than flash does. It plays without stuttering, the audio works properly, it doesn't steal my mouse focus. Also, it doesn't get webcam permissions by default, or all the other crap that comes along with flash. Sure, its still DRM, but flash was terrible for plenty of reasons that aren't DRM.


Which is funny, because flash was also great for creating content... If you were building learning demos or content, flash is still better than having to hand-code an alternative with html+svg+js... Though one of my early hopes when Adobe bought macromedia was that they'd push the authoring tool to export an archive file (similar to xaml) that would contain a manifest along with svg and javascript as a bundle. That never really happened though... I still hope that now it can.

I know a lot of elearning content creators that really miss being able to use flash for most things... yeah, the player was horrible, and the formats sucked.. but the content creation experience was so nice. Creating data driven projects with Flex wasn't bad either.


HTML5 video works on phones and tablets


But with EME it will only work on those phones and tablets which are running on an architecture and platform that the EME CDM has chosen to bother supporting. So it's pretty much as bad as flash.


And blu-ray only works on blu-ray players, not Motorola StarTACs.

I don't get most of the arguments on this thread. And I'm very much on the fence about DRM as a producer of licensed content, and a consumer of it.


And video file formats are not physical objects you put in a physical disc player. False equivalence makes your point idiotic. Hard to believe how customers are willing to accept more and more of this bullshit, vendors did a great job at brainwashing them.


And you don't own those intangible things, you license them, so how is it you expect to be able to do MORE than the average consumer of a tangible product like a blu-ray?

It's not a false equivalence fallacy when the alternate argument only inverts the parameters while violating the same logical foundation. And it's insulting to suggest I (or anyone else) have been brainwashed because my world view is a bit more pragmatic than, "give me all the rights."

I'll eat the down votes for that, no problem, because this shouldn't be an adversarial debate between producers and consumers. There may be better ways to approach acknowledging producer rights and consumer usage, even if the consumers who feel their rights are violated are outnumbered by those who have no problem. Sure, the argument could be made, "if only they knew how their rights are being violated!" That argument could be made about any number of situations where one class feels like they need to lift up another one. And it's just as meaningless unless you do something to change the situation.

DRM is evil, blah blah blah, I get it, as a consumer, I do. I also get that there are arguments for DRM that are perfectly valid from the point of view of the producer, even if the consumer thinks that the producer is off his nut. Surely there are people out there on HN who aren't so polarized by this issue? Sometimes, it feels like the US Congress in here.


Actually, for most online video sites users are their bread and butter. (Since they are ad supported) In fact users also provide the content in most cases.


So what, what guarantees you get a EME module of your OS of choice?


Nothing.


>I am not sure what the alternatives are.

Refuse to use Netflix and co.!

>Lack of such feature set HTML5 backwards

No, giving in on DRM set it backwards. The web is intended to be "free and open", which means that DRM is not welcome.


AIUI, EME is basically a standard for interfacing DRM plugins, so instead of the one implementation (Flash) of it that was around before, we might end up with a wide variety of DRM modules? That certainly doesn't seem like a better situation than before, where basically all the RE efforts were focused on Flash's DRM.


Your assumption here about going from one DRM implementation to many is wildly off the mark.

There have been several major video DRM solutions in widespread use for many many years including Adobe's Access (in Flash, and other places) Microsoft's PlayReady (in Windows, X-box, Silverlight, etc.) and more recently Google bought WideVine for its DRM offerings and has spent the last 4 or 5 years building that into the Google Chrome and Android platforms.

Pretty much every major video streaming service was/is using a different DRM implementation. That's nothing new at all.

Your suggestion that somehow there's going to be a shift from one to a lot more DRM providers thanks to EME is uninformed and unfounded.


With NPAPI each site picked one plug-in that worked in multiple browsers. Another site could pick another single plug-in that also worked in multiple browsers. With EME, each browser supports some DRM(s) and there's no single DRM supported by all browsers, so sites need to support multiple DRMs to reach multiple browsers.


I kind of miss flash. Security issues aside, Actionscript 3 and the graphics api felt a lot easier to use than js/canvas and was more performant.

It felt like adobe just rolled over once Steve Jobs declared flash dead. They even bundled mcafee antivirus with the flash download, it's like they just want it to be over.


You can check out Adobe AIR; it uses Actionscript 3 and it deploys to web, desktop, Android, and iOS. In practice you can straight up copy-paste an AS3 codebase into an AIR project and have it work 99%. And I like to think that Adobe is more committed to supporting AIR since it's available for mobile.


I think Haxe recreates the API method for method, and targets HTML5/Canvas as well as C++ and other stuff.


Isn't it possible to create HTML5 apps with Flash Pro?


in actionscript? I haven't worked with it for a while but I don't think so. Even if it was possible I wouldn't want yet another layer of abstraction to compile to html.

it's not the graphical authoring environment that really matters. I just prefer the OOP style of AS3 to Javascript.

Open standards are great and all, but the result is that we've had to wait years just for html to catch up to where flash was.


I notices Firefox sometimes starts busy looping on 2 cores while playing youtube (usually when "buffering"). IMO, they should really move the decoding threads into separate processes so they can be restarted easily (just like Flash was).


Why don't the people with this point of view rail against proprietary fonts the way they do against video codecs? If we took the same approach to fonts then you'd only be allowed to use open source fonts and everything would look ugly. Instead we're allowed to deploy copy-protected fonts to render text nicely and no-one is unhappy.

If the ultimate issue is that people want to be able to steal video content with impunity, it all makes perfect sense. If the issue is technical or has to do with software freedom, I'm unconvinced. Not being able to open my old documents because Word 2025 isn't able to read Word 2004 documents is not the same thing as not being able to archive videos of Galavant that I don't have the right to keep.


Oddly enough, fonts in particular have extreme benefits to open source models of development, the influence of actual research can be applied outright, and open fonts can be deployed rapidly.

I can't imagine a worse battleground to stake your argument on than this one, other than servers.


Why are they calling EME "locks"? It isn't locking anything. It's obfuscation. The most relevant physical analogy would be smog. They should call it what it is; digital smog.


It is a lock. You open it with a key. Just like a physical lock. And just like a physical lock, there are ways to force it open without the key. And just like a physical lock, forcing it open without a physical key is (usually) illegal.


Yes, but it's a lock where they have to provide the key too, and the only way to prevent you from manually opening the lock is obfuscating this process.


And, like a physical lock, you need to provide the users with the key, so that they can use the product.


The nice thing about youtube is it also encodes most videos in webm format so it still plays on XP with Firefox and some old phones

Other sites like vimeo only do mp4


Can I uninstall Flash at this point? What do I really need it for?


Most Facebook games require Flash.


Security is what matters here, the DRM can be circumvented anyway.


Well, hopefully using the Flash player remains an option.


Yes, EFF, we're still not living in a content wonderland where Hollywood studios send their blockbusters to people's browsers in naked <video> tags. Shocking, I know.


Look, if they want to make a plugin that understands their DRM scheme or some standalone app that's basically just a scaled down browser with support for a <drm_video> tag, they can tilt at that windmill all fucking day for all I care.

But I still need a <video> tag that works like an <img> tag in that there's at least I format supported by all major broswer venders that works for that tag, that lets me easily save the video for offline viewing, and is completely unencumbered by patents or licensing issues, so anyone else can make a browser supporting it. If that means I have to use a tag called <supercalifragilisticexpialidocious> instead of <video>, I don't really care. I need that functionality. The web needs that functionality.


You have that functionality thanks to the <video> tag and H.264 and AAC in MP4. That seems to meet all of your requirements. Am I missing the problem? EME and DRM are not required to make that work in Firefox, IE, and Chrome.


H.264 requires a per user license fee paid to MPEG LA until 2027 when the patent runs out: http://www.zdnet.com/article/a-closer-look-at-the-costs-and-...

AAC also requires a per unit license for anyone who manufacturers or developers of a codec: http://www.vialicensing.com/licensing/aac-fees.aspx

So no, neither of them meet the 3 requirements I laid out.


What does that have to do with EME?


I didn't bring up EME. I just want a video tag with mandated support for at least one totally unencumbered audio and video codec. The suggested codecs aren't unencumbered, and currently there isn't any mandated codec wrt <video>.


That's exactly what they did. Except it works in every browser and every producer doesn't have to build their own custom solution.




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: