The blame for this sits squarely on the w3c for their efforts in trying to replace flash by letting the content companies dictate standards for encrypted playback.
If they had held fast, we could have forced the companies to do their key management in something like WebAssembly and avoided this gatekeeping mess.
The W3C isn't to blame. No one is to blame, really.
We have DRM, we hate it but it's there, and it serves a purpose. If it is your intellectual property, you get to decide how it is used. And if you don't want to make copying too easy because you think that it will get you more money, that's your right.
The goal of the W3C is not to make to make a political statement about the rightness or wrongness of DRM. They are here to create standards that respond to use cases. And unfortunately, copyrighted content diffusion is one use case, and content owners want DRM.
And if you read the standard they came up with, it is not that bad. They managed to isolate the "evil DRM" part well enough without completely destroying its effectiveness. They also didn't require any proprietary component, though services can require them (that's what happened in the article).
Using WebAssembly (which is essentially optimized JS) for DRM is a terrible idea IMHO. DRM, to be effective, usually requires access to protected system components. It means that to make an effective enough DRM to be accepted by content providers (which is the entire point of the standard), we would need to give WebAssembly way to much power.
>And if you don't want to make copying too easy because you think that it will get you more money, that's your right.
They seem to think that but is there any truth to it? I do pirate some series/movies from time to time (mostly out of convenience) and you can get high quality rips of pretty much anything mere hours after it's available on streaming sites anyway.
So what is this DRM supposed to achieve? Prevent the average non-technical user from saving the stream? I mean I'm sure they wouldn't even know where to start, there's no "Save As" button on Netflix for instance. Simple client-side limitations would do the trick for 99.9% of the population. On the other hand the few technically-savvy stream rippers seem to have no issue bypassing these protections.
DRM works better for interactive content like games because it's not just about ripping the output.
How many decades do we have to suffer through this broken scheme and this technical debt until the right owners realize that they're wasting their time and their resources to push a system that only serves to make it harder for legit clients to consume their contents?
When iTunes got rid of DRM on music files I thought it would be the tipping point where right owners would realize that this scheme was ineffective and counter-productive, but apparently it's still an industry standard for some reason. Have legit users on unsupported systems stream low-res video while the pirates can watch it in 4k for free. Ridiculous.
It's a good point, but I believe DRM isn't just about piracy. It's also about control. I read a good article about this once, but I can't find it anywhere right now so I'll summarize what I remember.
As long as DRM exists, if you want to make a Blu-ray player you have to go and ask the Advanced Access Content System Licensing Administrator for their blessing, so that you can decrypt and play (for example) AACS-protected media. It doesn't really matter that AACS has been broken since early 2007 and that pirates can easily circumvent it - as long as you want to sell a player above-board and not risk potential lawsuits, you still have to go and license it.
(This might not be true for AACS in particular, but AFAIK it is generally true of more recent content protection systems.)
That's when the control part kicks in. Good luck getting that Blu-ray player approved for content decryption if it allows the user to skip commercials, or make small clips of movies and send them to your friends, or other such features. I do believe there would be some amount of demand for those features - well, mostly the first one. However, I don't see the AACS LA ever approving such features while having Disney and Warner Bros as founding members[0].
I'll try to find the original article I got those ideas from. I'll reply again if I ever find it.
That makes a lot of sense actually, I guess my take was a bit naive. I hadn't considered that it wasn't just about preventing piracy, it's about controlling how the content is consumed. Thank you for this insight.
>How many decades do we have to suffer through this broken scheme and this technical debt until the right owners realize that they're wasting their time and their resources to push a system that only serves to make it harder for legit clients to consume their contents?
Where did you get the impression that this isn't what they actually want? The goal is control over users, not acquiring non-users (pirates).
I think DRM in general was never really designed to completely thwart piracy.
The goal is actually to delay the pirated version as much as possible and to raise the barrier to entry when pirated versions are eventually released into the wild.
Instead of that, it's turned pirates into heroes of the common person. After all, why pay and be limited in the way you can watch the thing you paid for when unlimited access exists for free?
> why pay and be limited in the way you can watch the thing you paid for when unlimited access exists for free?
Oh I dunno... have you tried asking one of Netflix's 140M subscribers? Or the 26M people who use Amazon prime video?
The point of DRM isn't to make it impossible to pirate things -- it's to make it difficult enough to get pirated content that most people would prefer to pay a few bucks a month to watch things via a channel where rights holders are compensated. And by that measure, it seems to be working pretty well.
I'm not sure for how much longer it will keep working though. With the increased fragmentation of streaming services (and geoblocking), pirating content is starting to feel more convenient yet again.
When it comes to music, I can most of the time listen to it legally via Spotify or Google Play Music/YouTube Music. When it comes to movies (and especially for older movies), the rights holders give me no choice but to pirate because they simply don't make it available for me to obtain in a legal way.
As an extreme example: I was looking up an old childhood movie "Hugo: Djungeldjuret". The rights holder have stopped distributing the movie and they no longer sell it, but they do issue copyright claims and take-down requests towards anyone who hosts it. How am I supposed to watch a movie like that in a legal way when the only distributor has stopped distributing it?
My point was that, for movies and TV shows at least, this simply doesn't work. The delay is small enough that it's usually negligible (a few hours in my experience). For live events (especially sporting events) of course that's enough to make pirating impractical, but for the new episode of Game of Thrones it's really not much.
Furthermore I assume that most of that latency is not due to the time required for pirates to break the DRM but rather the time for the original riper to encode the file and share it through the pirate food chain until it reaches the public trackers that I use. You'd still have to wait a little while to get your pirate file if you don't have a subscription to the official streaming service.
> For live events (especially sporting events) of course that's enough to make pirating impractical, but for the new episode of Game of Thrones it's really not much.
I think you underestimate how many people prefer to watch the latest episode as it airs.
> not due to the time required for pirates to break the DRM
Even if the DRM is already broken, you can't just ignore the initial time spent to break it.
> until it reaches the public trackers that I use
Let's say you stopped 100 random people on a busy street and asked them what a "public torrent tracker" is. How many do you think would know what that even means? And of those who do, how many do you think would actually be able to download a movie through a public tracker?
This is why Popcorn Time was such a huge hit: it provided effortless access to movie torrents for the masses. Obviously, this also explains the rapid response by content publishers to crush the project.
>I think you underestimate how many people prefer to watch the latest episode as it airs.
I don't, but even without any DRM you still have the delay between the moment the ripper manages to get the file and the moment it's available for download. DRM doesn't really change anything here. It's not like for games where DRM can delay the release of cracked version by days or even sometimes weeks.
>Even if the DRM is already broken, you can't just ignore the initial time spent to break it.
For movies and TV shows I think I can. It's just so full of holes and broken implementations that it's usually trivial to crack. I have yet to see the release of a good quality movie or TV show because they couldn't crack the DRM.
>Let's say you stopped 100 random people on a busy street and asked them what a "public torrent tracker" is. How many do you think would know what that even means?
I honestly don't know, but I do know that streaming solutions and direct download websites are pretty mainstream in my experience. Megaupload was huge for instance.
But even if you're right and it's obscure, doesn't that make DRM even more pointless? If people don't pirate because they don't know how why would they start ripping Netflix streams? Technically speaking it's even more involved.
> I don't, but even without any DRM you still have the delay between the moment the ripper manages to get the file and the moment it's available for download.
You're missing the streaming option. But alas, watermarking + ContentID + DRM have essentially conquered that realm. Acestream and IPTV are two surviving options, but the barrier to entry is not low for these.
> For movies and TV shows I think I can. It's just so full of holes and broken implementations that it's usually trivial to crack.
I don't know enough about current media DRM solutions to comment here. What I do know is that will likely change once TEEs/enclaves become more widespread on consumer devices.
> If people don't pirate because they don't know how why would they start ripping Netflix streams?
"Right-click > Download" versus, at the very least:
1. Finding a reliable torrent tracker
2. Downloading and installing a torrent client (viruses galore!)
3. Finding a torrent with enough seeders
4. Figuring out which version of the movie/show to download (what's a "nuke"? what's up with the quality (cam)? why is this movie split into 37 .rar files? where are the subtitles? why is the audio out of sync? etc. etc.)
You and I have already gone through all of this the hard way, but it's important to realize that it's not intuitive at all.
If it is your intellectual property, you get to decide how it is used.
Another poster here made an interesting point, that this wasn't true until the 90s. Deciding "how it is used" is different from (and broader than) deciding "who gets to distribute it".
> Another poster here made an interesting point, that this wasn't true until the 90s.
This was always true. Most copyright traditions recognise Droit Moral, and the right for the author to determine the integrity and treatment of the work, and have for, in some cases, literally hundreds of years.
The problem is that pretty much the only way to satisfy those obligations is to turn the internet into a huge walled garden (as is currently happening). So we'll either have to accept the consequences of that, decide that some of the rightsholders' claims described above are not in the public interest or find some kind of middle ground.
The W3C, Google, Apple and MS and the TV manufacturers could have said "OK then, keep your content to yourself, let's see how your business does without us providing ways to deliver your crippled content to the eyes and ears of your customers."
But of course they didn't say that, because most of them got some direct or indirect interest in DRM, enough so that the few remaining players did have no choice than to hop on board, too.
Blame Google and Microsoft. They were the people who created the specification, and pushed for it, when Netflix came begging for a solution to their DRM conundrum. Even if the W3C hadn't approved it, that's two of the big four browser vendors who are committing to implementing it anyways, which is enough to guarantee a de facto standard anyways.
No, blame the movie studios, record labels etc. They're the one which require asinine DRM support for web browsers. Google/Microsoft/Apple/Adobe want to support media content, but to do so requires towing the line with the media companies otherwise they refuse to license the content (at least in HD+).
Having worked with various DRM teams I know that they have to treat their code as if its the most secret code in the world, if they don't the media companies can swoop in and ban them and then no Netflix for your users. This is why Widevine code isn't open source (other than the glue EME code) and is almost certainly the reason for the refusal to work with a small open-source form of Chromium. If for example the project was used to "steal" content the media companies would be mad at Widevine, with lasting repercussions for all Chrome users.
It's worth noting that typically all DRM teams work as if the hosting environment is an adversary. For example Widevine don't trust anything Chrome says as someone could recompile it and lie about the security. The only times this is relaxed is where the platform is deemed secure, such as CrOS or iOS.
> No, blame the movie studios, record labels etc. They're the one which require asinine DRM support for web browsers. Google/Microsoft/Apple/Adobe want to support media content, but to do so requires towing the line with the media companies otherwise they refuse to license the content (at least in HD+).
Let's say Google, Microsoft and Apple announce that they will be removing any DRM from their browsers on 2020-01-01. They will also remove any DRM playback app from their App Stores. So no Netflix on PCs, Macs, iPhones, iPads or any Android device (including stuff like Android TV).
Media companies would rejoice. Since such a coordinated move from Google, Microsoft and Apple would destroy streaming for everyone indiscriminately, it would re-level the playing field and enable everyone to start competing anew. Disney, HBO and others would fork Chromium and add DRM support back, then market the shit out of it. They'd start signing deals with phone and TV manufacturers to get their DRM back, each preferably in a way that excludes the others. There'd be a lot of churn as whole media space gets re-balkanized, but that's all good, since churn means they make money.
A lot of smaller companies would die, and a lot of users would suffer - but none of the parties involved actually cares about the users; we're just a natural resource to be stripmined.
The internet before streaming (when downloading postage stamp clips took 3 hours) was close to that described state, and people just exchanged burned CDRs right and left.
Even elderly people were using and watching pirated stuff installed by their kids as they just couldn’t bother.
No DRM support in major browsers would mean pirating becomes the #1 way to see anything again.
Just as the only browser with DRM would have a huge advantage in that scenario, the one streaming service without DRM would have, too. I honestly think Netflix would take that chance for their own content.
This is the most plausible outcome. Netflix wouldn't just leave that money on the table and the most obvious thing to do would be to provide the support they want from browsers themselves.
Users follow use cases and would not be averse to spending 30 seconds installing something in order to watch their favorite content.
There's also sort of a game theory situation with the removal of DRM, as it would be a competitive advantage being the only one that supports it.
All Netflix movies are on PirateBay already, in spite of their DRM. I’ve seen movies pop up on PirateBay the day they are released. They wouldn’t leave any money on the table.
People paying for Netflix are paying for convenience. That wouldn’t change in absence of DRM.
I think you're greatly underestimating how much more cumbersome torrenting is even compared to a plugin, especially for "normal" users who are not necessarily tech-savvy.
This argument is repeated ad nauseam but it’s false, all it takes is a torrenting app installed, that’s the only threshold.
But back to the point, if Netflix wouldn’t use DRM, it would change absolutely nothing since copyright infringement is still illegal and those DRM protections are completely useless.
Can my torrenting app stream my video, or do I have to wait for a full assembly of the pieces from torrent hosts and enough downloaded to watch it?
If the latter, torrenting is plenty cumbersome enough that if the studios are pushing movie-viewing to "Pay us money or you have to torrent it," they're winning.
Yes, and this functionality has been built into many of the largest torrenting programs out-of-the-box for quite some time now. In the case of µTorrent, it was added in version 3.0 all the way back in 2010.
Obviously, how quickly the stream will buffer depends entirely on the state of the swarm. Popular items will work almost immediately, while particularly unpopular items won't be streamable at all.
Anecdotally, I have personally witnessed my (very nontechnical) friends streaming 4+ GB 1080p ...popular cat videos... that weren't available from Netflix. They did not struggle with the process in the slightest.
I don't think it would, unless it begins playing within thirty seconds of the user choosing a video and provides an uninterrupted streaming experience?
Last I checked, the BitTorrent protocol didn't provide packet sorting that would allow for this behavior (by forcing the beginning of the movie's bytestream to be the first data downloaded), so my mistake if the protocol has improved and I was unaware it provided this service.
How easily, and how much setup is necessary? Remember, we're talking about competing with a service that doesn't even make the end-user consider whether that is a problem that needs to be solved (just plug in a credit card and off you go).
A coder spent an hour changing the code, once, and now it requires zero effort for users. They never know the difference. Open popcorn time and wait for it to quickly buffer.
This would be an authoritarian action, compared to just opting out of supporting something. There's a huge difference and I think these organizations' supposed interest in ethics precludes that sort of move.
DRM is not illegitimate. It just sucks and operates in a way that is immune to free market competition - the reasons for that immunity are the true thing to fix. Users should have alternatives as there is a clear market there. If DRM is so bad, then that's what should kill it.
This is the correct solution. The big tech companies control the distribution channels. Currently, they bend to the requirements of large content producers. If they leaned the other way, toward open source and DRM-free distribution, the producers would have no choice but to comply.
Of course, content producers could run back to the state for more protection (as they always do) and get legislation forcing browser makers to comply. And around and around it goes.
> Of course, content producers could run back to the state for more protection (as they always do) and get legislation forcing browser makers to comply.
Implementations of such forced-by-court features tend to be buggy. ;-) The implementation bugs might differ in subtle ways in each new browser release. ;-)
Consumers will have to purchase or rent horrible and overpriced hardware supplied by broadcasters. Like they were doing for decades with satellites, and early IPTV.
Piracy will raise a lot. Many users don’t want to pay, or can’t pay for that custom hardware. I was using Netflix service for some time without major issues, but they don’t have anything in my country, too small one, they won’t be selling and supporting their set top boxes any time soon. Unlike accepting credit cards and broadcasting videos, physical retail doesn’t scale that easily.
Why would they need to remove the DRM playback app in your scenario?
If they would only remove it from the browsers, they would start pushing their native applications like Netflix for Linux, Netflix for Windows, Netflix for Mac. And browsers would be free of their DRM which causes all this.
Torrent is something that I have nothing to complain about. It's decentralised. No big corporation is trying to control it. It's truly by the people for the people.
I wonder if more protocols like this will get invented and become mainstream. Or those glorious days are already behind us? Since every big corporation is just trying to grab market share by creating walled gardens for everything.
I assume that policing of torrent networks by the authorities will continue to increase. As a result, I'm hopeful that darknet (ie social connection based) solutions might emerge at some point. Why use a VPN and a tracker (private or otherwise) if I could request things via (anonymized) friend-of-friend-of-friend in a straightforward manner? That way you only trust your immediate network.
No, I think you’ve missed my point. A technology that prevents generally honest people from slipping casually into dishonesty sounds valuable. Battling people who are determined to be dishonest sounds much less valuable.
Making a personal copy of a video you've paid for is in no way dishonest, and the user downloading it from a pirate site without paying is in no way impeded by DRM.
The only thing it could even arguably be doing is preventing users from uploading videos to pirate sites, but that is empirically a massive failure given that all of the videos are already on the pirate sites.
So all you're doing is battling the honest people who have paid and then want to make a copy for format shifting or some other fair use. And the legitimate value of battling that is a negative number.
I suppose in the case of Netflix and the like, it stops me from getting some lossless downloader browser extension that would surely exist but for the DRM and... what? Getting stuff to watch after I let the subscription lapse? Giving copies to my friends?
The former is about the same effort as torrenting and about as obviously dishonest. The latter is mostly possible using Netflix as intended as long as I don't mind sharing my password with them.
I'm pretty sure some method Netflix uses is broken anyway. People don't seem to have trouble uploading 4k rips to Usenet. (Though I haven't actually checked recently.)
We were sold DRM as "the evil legacy studios are evil and make us use DRM". Well, now that Netflix produces their own content and it's still DRM'd... I guess that isn't really the reasoning.
Netflix doesn’t make most of their content. They just have exclusive license to show it. The studio that makes it still demands DRM.
In the rare case of content that is actually made by Netflix, it’s easier to just put DRM on it, because otherwise every system dedicated to encoding and playback would have to have a code branch that was special for non-DRM content. It would be a maintenance nightmare. It’s a lot easier to push all content through the same pipelines.
It’s very rare. I’ll bet you can’t name a single show that Netflix produces. Remember all those big name shows are produced by other people and then sold exclusively to Netflix.
DRM does not benefit Netflix. It’s complicated and takes a lot of resources to run. They’d much rather not have to deal with it at all. Having DRM does not gain them any customers — in fact it loses them some. But it’s the only way they can get content.
Come on, that can't possibly be right. If they can get shows sold "exclusively" to them, why can't they get shows sold to them without DRM requirements?
(The closest I can get to an explanation is that the "exclusivity" deal might be limited to online streaming platforms only, and whoever is selling the content still worries about everything else. But streaming is a significant and growing portion of all media consumption (and could be even more so, were it not for that pesky DRM), so I'm extremely skeptical that this would be a real issue.)
They probably did negotiate DRM free licenses. But the cost for implementing a separate DRM free pipeline is very high, and there would be little ROI to the business. Not having DRM on just the Netflix content would get very few new customers, if any, especially given that this whole argument only applies to web streaming anyway.
> ...and there would be little ROI to the business. Not having DRM on just the Netflix content would get very few new customers, if any...
This is where your narrative is strategically short-sighted. It would be a very significant leverage point for their own proprietary content over the traditional media companies' - the kind of thing that 'disruption' is built on!
If Netflix is paying for shows that are produced, and they have exclusive rights, they can attach any distribution terms they want to them.
You can't tell me with a straight face that somehow they don't have this power.
DRM absolutely benefits them because it ensures that only parties they permit are allowed to access content, for the same reason it benefits other media companies.
> DRM absolutely benefits them because it ensures that only parties they permit are allowed to access content, for the same reason it benefits other media companies
The fact that every pi8ece of Netflix content is on the pirate sites within hours of release would prove otherwise. Netflix is well aware of the uselessness of DRM.
And you're right, they probably did negotiate DRM free licenses. But you missed the other part of my post -- the cost for implementing a separate DRM free pipeline was very high, and there would be little ROI to the business. Not having DRM on just the Netflix content would get very few new customers, if any. How many people would say "man I would totally sign up for Netflix if only their own content was DRM free, even though I'd need a DRM enabled player to play everything else, and oh yeah this only applies to web streaming anyway."
I would argue the increased customer satisfaction from being able to stream 1080p/4K quality in more browsers with less esoteric hardware would be worth the extra implementation complexity (currently higher resolutions are disabled on browsers with weaker DRM or hardware without a pure HDCP path)
Netflix 4k streams are like 25Mbps at best. The US average broadband speed in 2017 was around 50Mbps. There is no problem getting 4k to consumers.
Whether or not they have a 4k display... that is probably the blocker. I have a 4k display but it's not my primary display (instead opting for a 165Hz 1440p panel) and I never bothered to buy a 4k TV, given how dirt-cheap high-end 1080p TVs are. Would much rather have the black blacks of a $500 1080p OLED TV than a $3000 washed-out 4k LCD.
That average broadband speed is deceptive, because it includes people who have gigabit at home. The more interesting number is the median speed. But even using averages, not a lot of countries yet have the speed to support 4K streaming[0], and like you said, even if they have the bandwidth, they need the equipment.
Both Amazon and Netflix make the most money and are best known for their excellent original shows. Why did they bother to setup DRM for them? If they opposed it, they could have made it a selling point that you could watch them in 4K on any device without hassle.
Then Google/Microsoft/Amazon and others who are being impacted by this issue should throw some non-trivial money at media creators who are willing to commit to DRM-free content. Like Creative Commons or the Blender Foundation, for starters. We had a comparable opportunity there when Netflix started offering streaming services, but they chose to go with DRM across the board. Fine, whatever. But unless the tech industry seriously gets behind this, Big Media will start to take their "content" hostage and mandate use of their own DRM 'solutions' to "protect it adequately" - with royalties for use set as high as the market will bear. Yeah, you can say that would be an antitrust violation, whatever. Legal processes take a long time, and Big Media have plenty of political support behind them. They don't have to care if they can make things crappy enough for everyone else.
What is the point of this "blame", especially stating it as if it were exclusive? All of these companies are past the startup/responsive/customerserving stage. They're immune to public opinion when you just keep on patronizing them.
Rather, focus on concrete steps you yourself can take:
1. Make sure the hostile black box is not available / disabled in your browser. So when you end up at a page that wants to use DRM and it doesn't work, you simply attribute the problem to the website being broken (which it is), and move on. If you do need to keep using the DRM crutch for now, then only use it on a separate dedicated browser or device.
2. Base your media setup around a DRM-free pipeline (eg Kodi). Make torrenting content your default. If you want to pay indie creators for DRM free downloads, feel free. But don't fund any studios that generally push DRM.
3. Share downloaded content with friends (eg USB drives), encouraging them to not fund Netflix et al developing and promulgating more DRM. This is especially relevant for "exclusive" releases that are meant to push people into signing up for yet another subscription.
As the OP explained in the backwards complaint, DRM support is NOT required for web browsers. You can make a web browser that does not render DRM content.
Google/Microsoft/Apple/Adobe want to support
media content, but to do so requires towing
the line with the media companies
Sounds like the problem is the web browser companies also deciding to be movie streaming companies. Thus giving movie producing companies leverage over web browser tech.
If it weren't for Google Play Movies and iTunes Movies they could have just told the MPAA companies to take a hike.
"when Netflix came begging for a solution to their DRM conundrum"
Does Netflix DRM even "work"? I've never personally seriously looked around for how to break it, but I note there are still plenty of people who seem to manage to review Netflix-based shows on YouTube with video clips of sufficient quality [1], and at least some of the reviewers in question I am fairly confident aren't getting any sort of privileged backdoor access or anything.
Is it "anyone can crack with a smidge of effort" or "it's really hard but it spreads once cracked"? I'm not asking for a lot of details of the crack per se, just general details of how successful it can be said to be in practice.
[1] I'm not claiming they aren't necessarily re-re-encoded by the time they get to me, but if they are, I can't tell for sure, so I'm going with "sufficient quality" as a description.
HDCP is broken, so people just get their captures from there I think. The Widevine stuff is also clearly not as trusted by publishers, which is why they only publish 720p streams on it IIRC. I think this is because it gets less help from the platform to prevent copying the frames.
No, this used to be the case, but isn't any more. Captures using lossless capture cards are called Webrips and generally disliked because they have to be reencoded (losing quality) and can only be ripped in realtime. For a long time now the better p2p groups (and even some scene) have figured out how to extract the encryption keys directly from the EME modules. So most of the Netflix rips you find on torrents these days are actually byte-for-byte copies of what you would view on Netflix.
Actually they should be byte-for-byte copies, but generally aren't, since Netflix makes you jump through half a dozen hoops to get the highest quality streams, so pirated copies are actually much better quality than what you can get on Netflix.
There are gazillion of 1:2 and 1:4 Chinese video splitters that strip HDCP from up to 4K sources letting any capture card rip anything that can be played on up to 4K TV.
A researcher on twitter recently cracked widevine level 1 quite quickly according to himself. No proof of concept was offered but he seemed to be claiming it was fairly simple. Netflix uses level 3.
The browser has to decrypt it somewhere along the line to play. Always was interested in tinkering around with it.
For a starting point I'd be going through chromium and checking out how they implement widevine.
For a while now there's been rumors in the torrent scene that a few people have broken it, but keep coy in case it gets patched. Then again it's trivial to screenrecord at the cost of time. Who knows?
Netflix only requires level 2 for HD streams, IIRC. SD streams can be level 1, I think.
Level 3 requires a secure path all the way to the display (so the decryption happens in a Trusted Execution Environment, the keys are stored in a Trusted Platform Module, and HDCP or similar to the display). Level 3 practically only exists on mobile currently, as Intel's SGX (their TEE) is typically disabled by default on what processors do support it.
I blame the OSS community that rolled out the red carpet for DRM. They are the only ones who really had a choice to make. I frankly don't blame the corporations pushing this, because they have been trying the whole time.
And they did it for the worst reasons. Vanity and pride. The corporations pushing DRM are merely motivated by greed.
But the players in the OSS community that opened the door for DRM were TERRIFIED of being labeled as "obsolete" or losing pretend "market share". They refused to take a stand against DRM, if it meant losing any users. Just look at the discussion thread where Mozilla decided to support DRM.
The arguments in favor of DRM by the OSS community are always the same:
- We need to support terrible DRM because it is popular (and being numerically popular is super important).
- We need to compromise against our users because if we don't then we won't have any leverage (which we are conceding we don't have anyway)
- "marketshare"
- "integrated branding"(?)
None of this makes sense, because Google, Apple, and Microsoft have completely different goals with building for-profit forms.
People who speak in slimey business sales marketing speak are making decisions about the direction of OSS software. And these people are obsessed with cargo-culting the big commercial platforms.
I have no sympathy for Netflix; not too long ago, Linux users had to jump a series of hurdles just to be able to play Netflix videos (including installing 32-bit Mono and Silverlight (yuck) and faking the User Agent string). As an end-user I'm happier now that it just works; as a FOSS fan, I blame the "content-owners" onerous demands for DRM.
It was never gonna happen; as soon as Intel introduced SGX, any DRM-producing company that wasn’t taking advantage of it would be seen as failing their shareholders. Even if Flash had died on schedule without browsers offering a native browser-DOM DRMed-content API, DRMed-content producers would just have jumped to another tech the DRM vendors sold them.
My guess is that, if browser vendors wouldn’t have played ball, the DRM vendors would have worked with one of the JRE vendors to optimize the Java applet runtime, and contributed to performance improvements on the browser side for all the open browsers, such that “Java applet” would no longer be a scary heavy-weight thing nobody wants their browser to launch. That would be (one of) the implicit threats hanging over browser vendors: if you don’t cooperate, we’ll take your control over innovation on the web away by refocusing it on an improved Java experience.
How is that "threat" a problem? That sounds like an Old Microsoft objection to cross-platform code, but the web is already cross-platform code, so that doesn't make any sense.
And if the browser vendors really didn't like it for unknown reasons then they could have just stopped supporting Java in the browser, as has largely already happened for various other reasons.
This is one of those "we all must hang together or we shall all hang separately" situations, and they apparently decided they'd prefer to hang separately.
No, if the Director had overridden the majority of the membership, the browser vendors would've shipped something anyway, and the YouTubes and Netflixes of the world would be using it anyway.
Essentially. The money gated behind a closed DRM solution is so large that the w3c ran the risk of becoming an irrelevant standards body for this space if they didn't comply with what their members wanted to do.
It's sub-optimal, but I don't think an optimal solution actually existed. A standards board divorced from reality is no better than no standard at all.
> No, if the Director had overridden the majority of the membership, the browser vendors would've shipped something anyway
That's fine. It's better that the burden for maintaining non-standard plugins be put on the sites and browsers that choose to do that, rather than be placed on everyone else.
It's funny how people try to make "standard" mean something magical when it's not. An Internet standard is just a document written by a committee of people who intend to do what it says. They then publicize it and try to get people to go along with it. You can't keep people from getting together to write a document or from doing what the document says. You can just choose whether to participate.
If W3C chose not to help write the DRM standard, the browser vendors could easily create a new organization and write a standard anyway (as happened with WHATWG).
Browser vendors and website authors could then read that document just as easily as anything published on the W3C website, so there is no "burden" for them. There would be no difference to the end user. The only burden we're talking about is the inconvenience of setting up an organization to do the writing. It's a minor speedbump at best.
The upshot is that there is no way to prevent browser vendors from standardizing anything they want. It only gets blocked if they disagree.
No one is implying that not infecting W3C with DRM is going to kill DRM. Of course anyone can agree to things in whatever organized way they want to.
The reason to keep it out of W3C is because it violates their core mission: https://www.w3.org/Consortium/mission#principles . Other organizations with a different mission are free to do as they wish, obviously.
How would that have improved the current situation? The videos that Metastream wants to play would still have been DRM'd and would still be playable in the mainstream browsers. What would the benefit have been? What burden is being placed on people now that wouldn't be placed on people in that scenario?
Making the user experience of DRM worse is better because then fewer people will use it. If the platforms all made it so that you have to solder a new chip into your phone before you can play DRM content, there would be a lot less DRM.
The argument that platforms have to do this for competitive reasons is doublethink. If the experience is worse and that will cause customers to flee, how is it that they would only flee from the platforms that don't have DRM but not the content providers that require it? Wouldn't that create a huge market opportunity for new DRM-free studios, who would then out-compete the traditional ones by being available on all platforms instead of only on Insecure Expensive Proprietary Slow Cableco Platform Nobody Likes?
> If the platforms all made it so that you have to solder a new chip into your phone before you can play DRM content, there would be a lot less DRM.
I mean, yes, but why would they do that?
> Wouldn't that create a huge market opportunity for new DRM-free studios, who would then out-compete the traditional ones by being available on all platforms instead of only on Insecure Expensive Proprietary Slow Cableco Platform Nobody Likes?
You're assuming that content is fungible. If I want to watch Game of Thrones, I want to watch Game of Thrones, not "Winter Dragon," and "Winter Dragon" being DRM-free won't incentivize me to watch it.
Furthermore, development of media content is expensive and requires a bunch of up-front capital / investment. So while there is a market opportunity, it isn't obvious that taking advantage of it without connections to the existing industry is a profitable strategy.
So that they're not beholden to adversarial corporations.
> You're assuming that content is fungible. If I want to watch Game of Thrones, I want to watch Game of Thrones, not "Winter Dragon," and "Winter Dragon" being DRM-free won't incentivize me to watch it.
Except that it is fungible, it's just not universally fungible.
The reason Winter Dragon isn't fungible with Game of Thrones is that you don't like it as much. You'd rather watch Game of Thrones. But there are thousands of shows, and out of those there are hundreds you might want to watch, yet there is only time to watch dozens or fewer.
Nobody can actually watch all of the shows they might want to watch. Letting "lack of DRM" be the thing that chooses between the ones of equal desirability to you is as good a way of pruning the list as any.
> Furthermore, development of media content is expensive and requires a bunch of up-front capital / investment. So while there is a market opportunity, it isn't obvious that taking advantage of it without connections to the existing industry is a profitable strategy.
Who says it has to be someone without connections to the existing industry? New independent studios form all the time as existing talent strikes out on their own. All it takes is for one of them to prove the market before everybody is doing it.
> So that they're not beholden to adversarial corporations.
What is so adversarial about these corporations to the browser makers? What benefit, concretely, do Microsoft or Google or Apple get from being free of the shackles of Disney or CBS?
One concrete benefit I see is less risk of the third-party code destabilizing your code because it has bugs and is running within your address space, but there's an easy solution there: sandbox the EME blob like Firefox (and other browsers too, I assume) does. Then its crashes and buffer overflows don't become your crashes and memory corruptions.
Only in the case of Firefox is it really third-party code; both Chrome, Edge, and Safari ship with the EME modules developed by the respective companies, but they still sandbox it.
Plugins like Flash, which are the historic answer for DRM on the web, have a huge surface space and can interact in the browser in all kinds of odd ways. These EME modules are much smaller, they are much less powerful (AFAIK they either return a frame to the browser to composite or directly to the OS compositor, so you don't need to worry about how they change layout and then change layout again as you reflow), and as a result of that can be put in stricter sandboxes. That's a clear win from a browser security and stability point-of-view, which is a concrete benefit for browser vendors in making it viable to drop Flash (and dropping Flash without providing a replacement for encumbered video isn't an option: breaking websites like Netflix will cause users to use other/older browsers that do support Flash).
> Only in the case of Firefox is it really third-party code; both Chrome, Edge, and Safari ship with the EME modules developed by the respective companies, but they still sandbox it.
They still sandbox it because from the user's perspective it's still an unauditable black box, so at least the user can verify the sandbox. But that doesn't actually solve the problem, because the black box code is interacting with black box hardware. If there is a bug, you've done the opposite of sandboxing it -- you've prevented it from being traced and given it direct access to hardware.
> and dropping Flash without providing a replacement for encumbered video isn't an option: breaking websites like Netflix will cause users to use other/older browsers that do support Flash
The solution to Flash should have been to have someone reverse engineer it and publish a 100% open source implementation, including the DRM. Then let them keep publishing using Flash format as long as they like, but no more black box.
> What is so adversarial about these corporations to the browser makers? What benefit, concretely, do Microsoft or Google or Apple get from being free of the shackles of Disney or CBS?
These companies make Xbox, Chromecast/Stadia, Apple TV, etc. Things that could plausibly be a media center, given some latitude and open standards. You could upload your movie collection onto it, give it your streaming account credentials and it gives you a single interface to all your media.
DRM kills that. You can't make an interface that allows the user to watch a Disney movie they've paid for and then have it show the YouTube commentary on it. You can't have something that recommends Orange Is The New Black after you watch The Wire because one is Netflix and the other is HBO.
Because DRM allows the studios to assert rights that copyright doesn't give them. That's all it does -- that's why they want it. It clearly doesn't prevent piracy.
> One concrete benefit I see is less risk of the third-party code destabilizing your code because it has bugs and is running within your address space, but there's an easy solution there: sandbox the EME blob like Firefox (and other browsers too, I assume) does. Then its crashes and buffer overflows don't become your crashes and memory corruptions.
The problem with this is that it can't simultaneously have such low privileges that it can't do anything harmful even if totally compromised by malicious actors, while also having such high privileges that it's immune to interference by even the owner of the system with physical access to it. They're diametrically opposed objectives. And the second one systematically fails regardless, but having to pretend that that isn't the case compromises the ability to do the first.
Would it have made the user experience of DRM any worse than it currently is, though?
The DRM module would still ship with Chrome and Edge (and likely Safari too, given Apple became involved pretty quickly), you'd still need multiple different streaming formats (in the form of different DRM formats) as you do today, and maybe you'd need slightly different JS codepath per-browser too (but that's not a big difference to today with the different DRM formats).
It's very unclear to me that the W3C refusing to be involved from day one would've led to any outcome very more than subtly different than the one we ended at. At the point that the specification went to Recommendation, there were already multiple interoperable implementations, so objecting at that point was purely a matter of principle, it literally wouldn't have affected the outcome in any way.
If the W3C making the right decision would make them irrelevant then what has actually happened is that they're already irrelevant, and becoming a rubber stamp on bad ideas only serves to prove that and erode their credibility.
Moreover, such organizations are made up of their members, and it's up to the members to do the right thing as well. Nobody had to volunteer to be the first to add this gunk to their browser. It can't be a competitive disadvantage if nobody else has it either, and it can't be a competitive advantage if everybody else has it, and those are the two options so why not choose the first?
This is just the age old discussion of whether it's better to capitulate in small ways so you can steer a group away from bad behavior/decisions later or to make a stand on principle to draw attention to the current bad decisions.
As much as some people like to say one is better than the other, I think the answer is always "it depends". Unfortunately, it depends not only on the relative power and momentum behind the current problem when deciding, but also on unknowns such as what will happen in the future.
It's hard for me to find too much fault in them deciding that they would rather stay somewhat relevant to the process than become obviously irrelevant (if that was indeed the thought process), as there's still a lot they can affect in the future. Armchair quarterbacking about what they should have done isn't too useful in my eyes.
Except that there was no such trade off here. If they refuse to approve DRM and then some browsers unwisely implement it anyway, having their approval makes it worse, not better. The browsers doing the wrong thing can claim to be following a standard, even though the standard is useless garbage because the entire point of having a standard is so that anyone can implement it, which in this case they still can't.
The trade off is in relevancy. If the standards body doesn't force a confrontation it knows it can't win, then it retains some power that it can throw behind or against future proposals. If the major browsers have already decided to completely ignore them and create their own consensus, there's that much less reason to listen to them next time. Not only has a precedent been set, but coordination on features outside the control may have already been somewhat standardized behind the scenes (beyond what they already do), making it easier next time.
The downside is as you say that the browsers can point to the standard as for why they implemented it, but that's why it's a trade off, and not cut and dry (IMO)
You seem to be mistaking the fact that the W3C for Web Standards is just the browsers. The last time it wasn't, the browsers formed WHATWG and the W3C became irrelevant.
The existence of features in any piece of software is a burden on further development of said software. Every time we go to add some other new feature to the spec we have to take into account how it will affect EME. That's just how software works.
The W3C exists partly to take the blame off of its members for the decisions that they agree to unanimously. Blame the W3C members for their decision to screw the user.
The W3C membership nowhere near unanimously approved the advancement of the EME specification to Recommendation; that much has been said publicly by various people over the course of the past few years.
The majority of the membership was in favour, definitely, but it wasn't unanimous. Some members I think it's predictable how they voted (MPAA may have voted in favour, EFF may have voted against); others less so.
I don't suppose you remember, but they did their key management in native code plugins 10-15 years ago. Silverlight and Flash both had DRM capability, IIRC. I've worked with that and it was no joy at all.
Without W3C DRM they would have kept those plugins alive instead of deprecating them. I see no reason why they'd have migrated to webasm, webasm wouldn't provide the know-thy-customer aspect the DRM people want.
> The blame for this sits squarely on the w3c for their efforts in trying to replace flash by letting the content companies dictate standards for encrypted playback.
It really isn't. The W3C at the very least permits a solution whereby content companies liberally distribute binary blobs for every platform under the sun. Hell, it even permits an open source solution that e.g. speaks directly to the DRM hardware in graphics chips (don't know if that would be technically feasible, don't shoot me).
It doesn't have to be this way.
In this context it's really specifically Google being assholes about this. They can choose to not be assholes about this. The fact that the W3C allows them to be assholes about this doesn't change the fact that Google is choosing to be this way about it.
How would have that worked? If you do not sign every single file per user, there is no real way to get something secure if you do not controle the whole processing pipeline.
This is a truly out-of-touch comment. People want their content first and foremost.
Besides, any kind of large-scale user revolt that isn't basically just a mob-like reaction is usually the result of a top-down, coordinated campaign. See the protests against SOPA/PIPA for an example - big websites had to throw their weight behind the idea for it to take hold. The web is simply too diverse and quick moving of a place to expect some kind of people's revolution when it comes to DRM.
I can't speak for the person you're responding to, but it doesn't seem like much of a mystery why non-techies don't know about the specific details of why they can't save a streamed movie to watch it offline, or in a non-approved open source video player. That glib attitude of captive audiences is exactly what DRM vendors prey upon. They know exactly how much they can get away with at this point.
> I can't speak for the person you're responding to, but it doesn't seem like much of a mystery why non-techies don't know about the specific details of why they can't save a streamed movie to watch it offline, or in a non-approved open source video player.
To me, the mystery is not that the people don't know about these details (these details are indeed somewhat complicated - I agree), but how much they don't care.
Non-tech users generally don't have the necessary knowledge and mental models to place technology the market is offering in context of what is possible. They think what's available, even if it's annoying, is the best that's possible. It always looks new and shiny, so it must be the limit of what could be. They don't realize that modern tech could be much more capable, and much more empowering, if not for constant shitty, greedy and people-hostile decisions made by those who make and sell it.
Of course they don't care, why would they be given a chance to? The anti-features, inconveniences and limitations are not advertised and are downplayed whenever anyone mentions them.
That's like saying the blame for pollution caused by burning coal lies squarely on the shoulders of anyone who uses electricity. Decisions are made, 99% of people have no clue what's going, and it's unreasonable to expect them to.
If there's nothing but coal powered electricity generation then vote to change it.
If the company you buy electric from uses more coal than others, then change company.
IMO ordinary members of the public take more responsibility in that because it's relatively straightforward to understand: buy your electric from renewable generation and get less negative environmental impact.
Understanding the best sources of power is hard however, so consumers have to trust published government research for that.
The comment I responded to was quite clear about placing "all" of the blame on consumers, but sure; we all share some responsibility. The problem is that placing the blame on consumers will get you precisely nowhere.
>If there's nothing but coal powered electricity generation then vote to change it.
Most people are struggling just to get by. Expecting their votes to be driven by large, complex issues which on their surface do not seem to impact their lives directly or immediately (or actually don't at all) is wishful thinking. The vast majority of people don't understand these issues to begin with.
>If the company you buy electric from uses more coal than others, then change company
Where do you live where you have competing electrical companies? Of you're proposing that they spend money on e.g. solar or electric cars, well... I think you're a bit out of touch with the general populace. We don't live in a world where paycheck to paycheck workers can afford such things. It has to be cheap and easy or you're just not going to get anywhere. Same goes for something like DRM; until it causes huge problems with the way most people consume content, well, they won't care, and complaining about that is a waste of energy.
Problems like these require smaller groups of dedicated and informed individuals to help make change and educate others. It does actually work. The US has much better environmental policy than it did 50 years ago and people are more informed now then they we're then. It's just slow, and tech related issues are relatively new.
No. The owners of coal mines, and the owners of coal power plants, are to blame. That specific industry has come at a terrible cost of human life and the environment, which wasn't even news last century. The people with the money and power to get a coal plant built, are to blame. I don't have choice in where I get my power. Lobbyists pay politicians to decide where my electricity is generated.
If you started cooking meth tomorrow, and sold it on the market, do you blame the users who bought it? No, the origin of the problem is the industry built around pushing the product.
You're unfortunate if you don't have a choice of where you get your power - we do in the UK - and can readily take action, eg at the ballot box, to change that situation.
Meth isn't really a comparable need. However, suppose dodgy crack (cut with crap), or paracetamol, was available for treating headaches: you can choose the paracetamol which makes you partially responsible for keeping the dodgy crack producers/dealers in business if you choose their product.
> You're unfortunate if you don't have a choice of where you get your power - we do in the UK - and can readily take action, eg at the ballot box, to change that situation.
I live in a representative democracy with extremely limited and polarized choice of politicians, ALL of whom are taking money from big oil. Unfortunate, indeed -- my lack of choice harms the entire world.
And no, meth is a great analogy: sure increases productivity, damn the consequences
I wonder how much of this is simply cognitive overload. I mean, climate change, crispr, ocean acidification, asteroids... I would guess that most people prioritize dopamine first and foremost.
Software is arcane, so thinking about how it affects society probably seems irrelevant to them. Even if they do care, power dynamics make defeatism a logical and realistic mindset.
If you use Netflix as advertised, you don't need to know about DRM; it does its job without being noticeable. Netflix is a streaming service, not a movie store. There's no need for making backups. If you try to use Netflix outside the bounds of your agreement (like copying downloads to a different device), then the DRM becomes visible.
A blockbuster analogy seems adequate and explains why people are satisfied with the way Netflix and Spotify work. DRM isn't restricted to Netflix and Spotify though.
The user is to blame? Let's be realistic about how the average person handles technology in general, is aware of malware on their devices, or how many browser choices they have.
I disagree; good DRM is transparent and unnoticeable, and if that is the case then users do not care.
Who does care about DRM is pirates and content creators whose content is shown without them earning off of it.
Yes I am aware of fair use exceptions, but fair use should exempt a user from getting sued over using a fragment of copyrighted content; it does NOT force a content creator from offering their content open for downloading and republishing, even if it's for fair use.
I disagree; good DRM is transparent and unnoticeable
Yeah, until it isn't.
I can't start GTA V for days since the "Rockstar Social Club" won't connect and glibly informs me that "I need to be on-line"
I would have agreed with you until then. But not being able to play a game for which I paid full price and not being able to get meaningful support to resolve the issue rapidly changed my stance on DRM.
> You never truly own anything that has DRM, you're just licensing it.
The thing that I hate is that the marketing either explicitly says "you own it", or does it implicitly or indirectly, or in a way to make you think that you do.
They never, ever put in big bold letters "License this game for $69.95, today!"; not even when you actually "purchase" does it say "license". In fact, you see the words "purchase" or "buy" or similar; words that have always connotated "ownership".
Now granted, all software, and media in general, has always been a "license" - but there was always something physical around; that if the company or entity that licensed it to you disappeared tomorrow, you could still - theoretically - continue to use the license you had and enjoy the media as intended.
That all really changed with license keys. One would think that the whole DIVX debacle would have made this abundantly clear, but I guess it didn't (makes me wonder if the DivX media format or whatever it was actually wasn't created purposefully to muddy the waters; but that's just conspiracy theory on my part).
I don't even think people will "get it" if tomorrow everybody who "bought music" from iTunes or whatnot lost their licenses with no recourse. I really don't think there'd be anything done, except for some bawling at most.
If everything we have seen over the years, including the various massive data breaches that have occurred recently, hasn't woken anybody up to force reforms and changes that benefit the citizens and consumers, well - nothing will.
Society has basically said "we don't care if we or our children get slaughtered" - where that last word takes on a wide variety of meanings - up to and including its literal meaning.
Those of us out here being force down the chute screaming about the injustice, the wrongness, the reasons why, etc - we are all just so much noise that nobody cares about anymore.
Children getting slaughtered? Oh come on. The simple fact is that movies, music and video games are just not that important. That's why people don't get up in arms about restricted access.
Let's imagine a field. A holy place. People flock for miles, pay the land owner handsomely to visit the field.
A judge says that everyone has a right to take a single photo of this field for their collection - no more than that. The land owner disagrees.
We're not saying that the land owner should be forced to provide small organza bags for the visitors to carry their cameras around with them; but posting armed guards at all the entrances with metal detectors, automatedly initiating legal action on anything that looks like a camera and then trying to tell the user it's for their own good... well, this should at the very least be discouraged by the community, no?
> good DRM is transparent and unnoticeable, and if that is the case then users do not care.
Then there's no such thing as good DRM, since many users will want to make use of the content they've paid for (either monetarily, or perhaps indirectly via ads) in flexible and open ways that a proprietary DRM system will not allow. Fair use is part of this, but not the only issue.
Meanwhile I bet everyone here and /r/gaming uses Steam without thinking about it where you can't even click and drag an .exe to your buddy on a long flight and you need to log into it every X days for it to let you play offline.
To be clear, I'm definitely happy to support gog.com and thankful that they exist and are successful.
But look how many HNers will bring up Kindles and buying books for them on Amazon where you can only "lend" a book from kindle to kindle (forget drag and drop) through their proprietary system.
Every day 90%+ of people are happy with systems that use DRM and don't even notice it exists. Most people just don't ever go off the rails.
It's one of the worse things about DRM: trying to position your product as DRM-free and people just go "wtf is that? it never bothered me before."
No such thing as good DRM. All DRM is broken by design, and exists to take your rights away. Never make excuses for this garbage software. DRM must die.
If they had held fast, we could have forced the companies to do their key management in something like WebAssembly and avoided this gatekeeping mess.