I can't let you do that, Dave.
March 14, 2013 6:57 PM   Subscribe

Web standards body W3C is considering a proposal to add Digital Rights Management to the next version of the HTML5 standard. Internet pioneer Tim Berners-Lee is fine with this. Others, like Cory Doctorow, have a different point of view, claiming it will have far-reaching effects that are "incompatible with the W3C's most important policies". Others have called it "impractical and unethical".
posted by Mezentian (53 comments total) 19 users marked this as a favorite
 
Huh this leaves a bad taste in my mouth.

Also, the idea that people will just 'go back to flash' is a non-starter. Even Adobe has hopped on the HTML5 bandwagon.
posted by thsmchnekllsfascists at 7:16 PM on March 14, 2013 [1 favorite]


You'd think the fact that it straight-up doesn't do what it claims to do would be a dissuading factor, but alas.
posted by mhoye at 7:19 PM on March 14, 2013 [4 favorites]


I assume the Internet will interpret any such moves as damage and work around it.

I lack the technical knowledge to understand how, but it would seem to run counter to the open source and open intneret ideals.
posted by Mezentian at 7:19 PM on March 14, 2013


What does this even mean? Have these people not yet learned that DRM is impossible? You can't give someone an encryption key and some data encrypted with that key and then expect them not to decrypt the data.
posted by Mars Saxman at 7:19 PM on March 14, 2013 [1 favorite]


It'll never get to that point, but I am romantically attached to the idea of calling the media conglomerates' bluff. Open standards, no DRM, no plugins. And how is one supposed to get millions of consumers to just go back to shitty, scratchable disks, poor portability, the format resale treadmill, and the abandonment of their nifty touch devices? Are they going to go on a Gaultian Strike? There's a hundred years of cinematics easily convertible to digital right this moment, and all they would be holding back would be the eighth installment of another comic book-derived reboot. Who blinks first there?
posted by adoarns at 7:23 PM on March 14, 2013 [8 favorites]


This is absolutely silly when you look at it from the perspective of a free and open-source browser (webkit, Firefox, etc.). Let's standardize a delivery method that a large chunk of browsers cannot implement!
posted by introp at 7:25 PM on March 14, 2013 [2 favorites]


What does this even mean? Have these people not yet learned that DRM is impossible? You can't give someone an encryption key and some data encrypted with that key and then expect them not to decrypt the data.

No, but once you do encrypt it, you can claim that anyone decrypting it in an unapproved way is "circumventing copy protection measures" and get them under the DMCA. HDCP has long since been cracked, but you're liable to be sued if you produce a device that strips HDCP encryption, so nobody does, and that's good enough.
posted by BungaDunga at 7:27 PM on March 14, 2013 [5 favorites]


I gotta say I agree with Cory 100% on this one. Built in DRM means that you don't own anything that will play any DRM'd content.
posted by sauril at 7:47 PM on March 14, 2013 [2 favorites]


DRM Chair
posted by homunculus at 7:49 PM on March 14, 2013 [10 favorites]


"Just going back to Flash" - is a statement on the mentality to approaching DRM with 3rd party technologies, not a suggestion that Flash has any further relevance (at least that's the way I read it).

As much as I hate the concept of DRM, and desperately wish that a better/fairer approach to online biz models/distribution would deal with/and render it obsolete, I think TBL is suggesting that in the prism of DRM, it would be better dealt with natively than using add on technologies.

But having just read what I've written, fuck that.
posted by a non e mouse at 7:49 PM on March 14, 2013 [3 favorites]


I have been coming around to the idea of DRM lately. Could we democratize and improve DRM. The EFF can form a corporation and "employ" anyone who wants their comms in a nuanced DRM commons wrapper; all participants get legal representation to go after any corporation or government entity that circumvents the DRM wrapper. The idea would be to 'Stallman' the DRM.
posted by vicx at 7:54 PM on March 14, 2013 [2 favorites]


I think BungaDunga has the right analysis - the primary utility of this would be to provide a pretense for legal action rather than having anything to do with technology or standardization or even usability which are the usual domains of web and internet standards bodies.
posted by XMLicious at 8:02 PM on March 14, 2013 [2 favorites]


I can't decide which is worse, but I'm leaning towards the new gTLDs being more likely to fuck up the internet.
posted by Catblack at 8:16 PM on March 14, 2013


If I understand the proposal correctly, it all relies on a chunk of code running outside the browser called a "Content Decryption Module", in order to get around the inherent insecurity* of Javascript crypto.

This is pretty stupid, even setting aside fundamental objections to DRM on principle, because it's exactly what we finally moved away from with HTML5 over Flash and other plugins.

If this moves forward, you'll have "HTML5 video", but it won't do you a whit of good unless you're on an approved platform that a "Content Decryption Module" exists for, and unless you have that module installed, etc. There is zero benefit to the user for this over Flash. It's just plugins by another name.

The only bright side of this is that it's probably easier to break than current plugin-centric DRM schemes, because instead of having to reverse-engineer a huge plugin that does everything from requesting the content from the remote server to actually displaying it in the browser, you only have to reverse-engineer the Content Decryption Module, or wrap around it with your own code to grab decrypted frames and save them. Since the CDM will (presumably) have a standardized API, or at the very least has to communicate with open source software that can be analyzed easily, it doesn't seem like it would be very hard to make a standardized DRM-breaker. How convenient.

So, on one hand, this is a terrible proposal that's ugly from every angle: political, technical, ethical. But on the other hand, it won't work and it'll make stealing content easier, and ultimately hurt exactly the people who are pushing for it. Nice going, assholes.

* Ref. "Javascript Cryptography Considered Harmful" for a good discussion of this. If everything was done in JS, it'd be trivial to replace the decryption script with one that provides the user the decrypted content in their preferred format (i.e. saved to disk) or just gives them the key for future use. This is of course possible with a "Content Decryption Module" as well, but you can obfuscate the code more thoroughly, or use creepy Trusted Computing spyware features to validate it.
posted by Kadin2048 at 8:27 PM on March 14, 2013 [6 favorites]


the primary utility of this would be to provide a pretense for legal action

That doesn't make sense, since that already have more than a pretense for legal action in instances of actual copyright violation. There are plenty of tools, including the DMCA, around for that right now.

I think this is more about "content providers" not being willing to use HTML5 as a platform unless it has DRM, because Flash has DRM, and thus if they move to HTML5 it's somehow a step down in "protection". It doesn't matter that Flash's DRM doesn't work, and HTML5's proposed DRM wouldn't work either, it's a completely irrational box-ticking exercise. Apparently Google thinks that they need to add this so that they can claim that HTML5 has feature parity.

We've seen before, time and time again, that the "content" companies aren't rational actors when it comes to copyright and DRM issues. Their decisionmaking is almost certainly warped from drinking their own Kool-Aid; it doesn't matter that DRM doesn't work, to abandon it now would be to cede ground to the downloaders and the anti-DRM groups, so therefore they must have it. (Keep in mind that the music industry did this for years, long after it was clear that DRM-free music formats were the way to go.) Google is pandering to that, by proposing a feature that their own engineers must know is broken by design.
posted by Kadin2048 at 8:44 PM on March 14, 2013 [2 favorites]


Flash has DRM?

I had no idea.
posted by Mezentian at 8:57 PM on March 14, 2013


I just discovered this set of videos on cryptography. I don't think they directly address DRM, but they are a neat introduction to understanding the technical problems with it.
posted by UsernameGenerator at 9:08 PM on March 14, 2013 [1 favorite]


Flash has DRM?

Yes, starting back with version 9. Doesn't mean it works or anything, but it's enough to check the box.

Silverlight, which is what Netflix currently uses, does as well.
posted by Kadin2048 at 9:22 PM on March 14, 2013


That doesn't make sense, since that already have more than a pretense for legal action in instances of actual copyright violation. There are plenty of tools, including the DMCA, around for that right now.

But don't the provisions in the DMCA primarily result in legal action against the people hosting illicit content at this point? I would think that once DRM could be considered fundamental or integral to the web then as BungaDunga points out anyone could be "circumventing copy protection measures" if they view a web page in the wrong way.

I wonder what impact it might have legally if displaying advertising became interwoven into DRM.

In any case, though, I agree with you that this is probably just a matter of ticking off a box instead of actually trying to create working standardized technology.
posted by XMLicious at 9:29 PM on March 14, 2013 [1 favorite]


Not to badmouth Mr. Berners-Lee, but anyone who defends Objective-C is not playing with a full deck of cards.
posted by deathpanels at 9:40 PM on March 14, 2013 [6 favorites]


As an aside, I keep one browser configured to always forget everything. If any page dislikes my various filters, such as by using Flash, then I load it there. At least with my filters, they'd get the referrer url, but if they push then they loose even that.
posted by jeffburdges at 9:43 PM on March 14, 2013


Agreed. C is absolutely brilliant in its historical context, presumably so were its predecessors. Yet, C is also the last well-designed C-like language. Objective-C is a train wreck. C++ is addictive enough but quite poorly designed.
posted by jeffburdges at 9:52 PM on March 14, 2013 [2 favorites]


But don't the provisions in the DMCA primarily result in legal action against the people hosting illicit content at this point?

No, not really; the DMCA lets content owners issue takedown orders to hosts, which the hosts have to comply with if they wish to remain immune from copyright violation themselves. As long as the host pulls the content after getting the takedown order, they're in the clear. That's regardless of whether the content has or originally had DRM, and is the main tool used by the content companies to remove illicit content. (And after getting the content taken down by the hosting company they can still go after the user responsible for posting it, they just generally don't bother because it's an unrewarding exercise.)

The DMCA also makes it a crime to distribute tools that are designed to circumvent a protection scheme. E.g.: distributing DeCSS was, and probably still is, illegal in the US under the DMCA, although I don't think anyone was ever prosecuted here for it. ("DVD Jon" faced criminal charges in Norway, but I think that was it.)

So if they built DRM into HTML5 and then you or I came up with a shim that sat in between the browser and the "Content Decryption Module", grabbing the unencrypted frames on their way back to the browser, that software would be illegal to distribute due to the DMCA. But that's entirely separate from the content owners' ability to have infringingly rehosted content (e.g. the decrypted show, posted to YouTube) taken down, or even their ability to sue users for downloading it, etc.

There's a big disconnect between the "anti-circumvention" parts of the DMCA, and the parts that actually focus on takedown procedures and set out how liability for user-submitted content works. IMO, the latter parts (takedown notices and protection of hosts for user uploads) isn't, on the whole, really all that bad. The anti-circumvention parts are really onerous, and don't really help protect content directly: they just try to shore up the problems inherent in DRM schemes with the law, which was an unrealistic goal in 1998 and it's ridiculous today.

That's what's really painful here: the TV and movie studios are, I suspect, demanding the implementation of a DRM system for the sake of having a DRM system (probably by specifying it in their agreements with distributors like Netflix and Hulu), yet having those systems in place doesn't really buy them anything: they still get to play cat-and-mouse with millions of people a day on YouTube, closing off opportunities for "casual piracy", and it only takes one person in a million to have a working DRM-breaker and torrent the results. They get the "opportunity" to go after people distributing de-DRMing code, but that's a target that wouldn't exist if the DRM system didn't in the first place, and probably just saps resources from more effective anti-piracy efforts (like pulling stuff off of YouTube). It's completely self-defeating.

Literally nobody wins with this proposal, but as long as the content owners have their collective heads in the sand about the necessity of DRM, Google is going to push for it and will probably win, or will destroy HTML5 in trying.
posted by Kadin2048 at 10:13 PM on March 14, 2013 [1 favorite]


(And after getting the content taken down by the hosting company they can still go after the user responsible for posting it, they just generally don't bother because it's an unrewarding exercise.)

Oh, sorry: the users responsible for posting or otherwise re-publishing content were who I meant when I was referring to the "people hosting illicit content." I didn't think that the DMCA provided for taking action against people downloading or viewing content but that you have to be involved in actually redistributing content, at least via a peer-to-peer type method, to be vulnerable; or at least that those are the circumstances under which people have been prosecuted so far.

But the way the Wikipedia article "anti-circumvention" is written makes it sound like the mere act of circumventing DRM measures to watch a DVD or something is itself prohibited, separately from "distribution of circumvention tools". In which case it seems to me that were DRM to become a part of web browsing in any way that could legally be considered integral or essential or whatever, anyone viewing a web page containing DRM content via a browser that doesn't implement or enforce the DRM markup, protocols, etc. could be construed to have "circumvented copy protection measures".

I mean it seems ridiculous and impossible but I would also have expected it to be ridiculous and impossible that Apple could point to a piece of hardware you bought from them and wholly own and say "you cannot install a non-Apple operating system on that" and it would have the force of law. (Which according to this Ars Technica piece is currently illegal for tablets but not for phones for some reason.)
posted by XMLicious at 11:25 PM on March 14, 2013


Flash and Silverlight are on their way out, that means no more DRM in most platforms. Content providers demand DRM in their contracts, so Microsoft, Google, Netflix, et al. need to somehow make that happen. So it goes.

In the end, the power is with the companies and the browser vendors. Google already has landed most of the code in WebKit, IE will probably have it soon. (I don't think Mozilla can legally implement this stuff, but hey, now that Opera is dead, Firefox is next in line to get killed anyway, for the american view of the world is that for something to live, everything else must die, but i digress).

In my personal opinion, W3C shouldn't take on this spec, because it shouldn't be seen as endorsing it, because the DRM thing will eventually die like with music, and because i wouldn't give a rat's ass if hollywood and its "content" disappeared overnight.
In the real world (or what TimBL and the working group chairs decided) is that the companies want this, it'll happen anyway, the W3C has no say in what people want or do not want, and a spec is better than no spec. Or something along those lines.

Of course everyone knows DRM doesn't work and content providers are all evil morons, they all but admitted that outright in many emails, but as long as they can get away with it, you know, whatever.

Disclaimer: I worked on Opera's Presto engine for some years, and then on WebKit, so i read all those mailing lists daily, because i'm a masochist.
posted by palbo at 11:26 PM on March 14, 2013 [1 favorite]


One of the biggest discussion threads, if anyone cares for the ugly details. You can read the emails from Tab Atkins and the Mozilla guys for some voices of reason.
posted by palbo at 11:32 PM on March 14, 2013 [3 favorites]


Anyone who would vouch for C++ over Objective-C is playing with a handful of poisonous snakes they merely think are cards, if only because the venom is fast-acting and induces hallucination.
posted by Apocryphon at 11:38 PM on March 14, 2013 [2 favorites]


now that Opera is dead
What? Please tell me more about this?
posted by This, of course, alludes to you at 12:57 AM on March 15, 2013


Maybe palbo is referring to Opera discontinuing the Presto engine and switching to Webkit? Which, while not "dead" exactly, is sort of like Agent Smith sticking his hand through your chest and assimilating you.
posted by XMLicious at 1:07 AM on March 15, 2013 [2 favorites]


DRM doesn't work

In quite a lot of its applications DRM is astonishingly succesful; if, for example, VideoGuard, didn't work then satellite TV subscriptions would be a lot lower.

This API is a mechanism whereby, for example, a broadcaster could stream video to a browser in a set top box and use the box's existing hardware to decode the content using a standard API, thus allowing the same streaming application to be used across a variety of DRM systems in a variety of receivers, (or even on a smartphone / PC, if they didn't mind the content getting cracked).

For live streaming DRM generally only has to be good enough to keep the content protected for the duration of the broadcast, and generally it is.
posted by Luddite at 3:56 AM on March 15, 2013 [1 favorite]


One of the biggest discussion threads, if anyone cares for the ugly details.

Ick. I really didn't like the one guy arguing that forcing a restricted module down users' throats was "extending freedom of choice" or helping "diversity of voices" or some such.

If W3C encoded DRM into their open standard, it would make it much more difficult for a team of developers to bodge together a new browser; they'd be dependent on getting the necessary DRM widget from from some thug that has zero interest in changing the status quo or playing nice with newbies.

This is a control and ownership game that benefits established players and makes it harder for new people and technologies from entering into the marketplace.
posted by sebastienbailard at 4:23 AM on March 15, 2013 [3 favorites]


I described C++ as addictive, assuming yo're using C anyways, but certainly did not "vouch for C++". I'm sympathetic to your criticism because the worst bits of C++ are much much worse. In Effective C++, Scott Meyer wrote "no one seems to know what protected inheritance is supposed to mean."

There is definitely a place for compile-time inlining and parametric polymorphism within C's original mission of bringing type-safety to low-level programming though, which C++ provides via templates. It's the adhoc overloading that awakens great old ones to frolic in Turing complete madness. C++ would require a lot less discipline if they'd added templates first and there after refused features that made type system Turing complete.

Afaik classic Objective-C hasn't brought with it anything that fit into C's original mission. I suppose Cython must be the right way to do what Objective-C's designers wanted to do.

codegolf.SE : Generate the longest error message in C++
posted by jeffburdges at 5:11 AM on March 15, 2013


The W3 has already jumped the shark. Their insistence in supporting JavaScript/ECMAScript as the only valid scripting language instead of some kind of bytecode interpreter is terrible. The confusing and weird API specs for things like web audio, webGL, web-whatever are terrible. HTML5's new tags do not add anything to the language except confusion (what is an "article" tag compared to a "section" tag and why do I care?)

It's a cabal run by Google and Apple. Mozilla is involved, sure, but they make most of their money via Google ads and can't really speak against the others. WebKit's implementation becomes the spec because the real spec is too vague, and working against WebKit's interpretation never wins.

The W3 as an independent working group standing up for the "freedom" of the web is dead to me. Whether DRM is in or out of the spec is irrelevant. The question is will Google implement it? Maybe that's why they want it in the spec: so they can implement it and be like "we're not evil we're just following what the W3 says," even though that is totally and utterly evil.

For more crankyness, I recommend Zed Shaw's talk "The Web Will Die When OOP Dies"
posted by sixohsix at 5:42 AM on March 15, 2013 [4 favorites]


Why is the W3C even bothering to consider this issue? Who cares if content owners aren't happy with HTML5 unless it has DRM? The internet is far bigger, more valuable and more important than the mainstream content industry. Leave them to stew and see if they cave in after a few years of consumer frustration with plugins and native apps.
posted by malevolent at 5:56 AM on March 15, 2013 [3 favorites]


Wow! I loved that Zed Shaw talk, sixohsix, thanks!
posted by jeffburdges at 6:18 AM on March 15, 2013


Their insistence in supporting JavaScript/ECMAScript as the only valid scripting language instead of some kind of bytecode interpreter is terrible.

The WHATWG, which was explicitly set up to escape the dead hand of the W3C has also ruled it out, for good reasons.
posted by Luddite at 6:30 AM on March 15, 2013


If this becomes a reality, does this mean that we're likely to see advertisers insisting on ad-carrying web sites using DRM to prevent people from viewing the sites with ad-blockers, and sites being able to kill Greasemonkey-style plugins which change their interface without approval (i.e., SocialFixer for Facebook, cifFix for Guardian CiF)?
posted by acb at 7:02 AM on March 15, 2013 [1 favorite]


No, this is just for video and similar media content.
posted by ryanrs at 7:09 AM on March 15, 2013



No, but once you do encrypt it, you can claim that anyone decrypting it in an unapproved way is "circumventing copy protection measures" and get them under the DMCA. HDCP has long since been cracked, but you're liable to be sued if you produce a device that strips HDCP encryption, so nobody does, and that's good enough.


Interestingly enough, Bunnie Huang's new laptop motherboard prototype contains an FPGA. So neither he nor anyone producing his design is producing such a device. They are merely making it a trivial matter of downloading a piece of compiled Verilog/VHDL/SystemC code that does precisely that.
posted by ocschwar at 7:21 AM on March 15, 2013 [2 favorites]


In quite a lot of its applications DRM is astonishingly succesful; if, for example, VideoGuard, didn't work then satellite TV subscriptions would be a lot lower.

I doubt that. The killer app of the satellite TV companies is that for a (relatively) low monthly rate, they will install the dish, rent you the equipment and fix stuff when it breaks. Setting up your own rig, even without DRM, is a huge pain even if you have the skills to do it. It's much easier to just pay a monthly fee and get on with your life.
posted by suetanvil at 9:22 AM on March 15, 2013


I doubt that.

Without DRM then once you have the "basic" service all that would stop you from tuning into the "premium" services would be your honesty. A lot of people won't go out of their way to pirate TV (although a lot would) but putting no barriers is optimistic at best.
posted by Luddite at 10:20 AM on March 15, 2013


VideoGuard should not necessarily be considered DRM in the usual sense of granting copyright holders control over files you purchased.

If you abandon vehicle customers, then securing satellite television seems basically trivial. Just change the content's encryption keys daily and design your box to download each day's key by providing the customer's account number. You prevent customers from sharing their accounts too widely by not letting them disable all options for buying pay-per-view content. Anyone could share their daily keys safely, but you've time to pursue them in court. A watermarked key system could address anyone making boxes that automate sharing keys.

It's obvious the vehicle customers are more valuable than stopping the pirates though, given that most pirate would not buy your stuff anyways, hence VideoGuard's DRM-like qualities, holes, etc. You could mail everyone new cards every month with their bill, I suppose. Annoying but much somewhat effective.
posted by jeffburdges at 11:04 AM on March 15, 2013


I wouldn't consider VideoGuard DRM unless it prevents satellite subscribers from copying and sharing satellite TV programs, which it totally doesn't.

Ticket takers at a theater aren't DRM either. They prevent people who haven't paid from walking in and watching the show in the theater, but they don't prevent people from smuggling in a camera, recording the show, and then uploading the video to the net.

When people say DRM doesn't work, they mean you can't let me watch it and also prevent me from sharing it.
posted by straight at 2:44 PM on March 15, 2013


As I poorly explained, there is a slightly DRM-like aspect to VideoGuard in that they seemingly don't change the encryption keys hardly ever so as to simplify life for their mobile, isolated, etc. customers. The DRM protects the keys stored inside the card in the box they sold you, not directly the content. So pirates broke the DRM, copied the keys, and sold knock off decoder boxes. If they wanted, they could replace this weak DRM-like aspect with real security by mailing new cards every month for their remote consumers, but they'd rather avoid that overhead and customer annoyance. Just not enough pirates to matter though.
posted by jeffburdges at 3:00 PM on March 15, 2013


Long term, there either needs to be DRM in browsers or Netflix et al will just come up with their own locked-down "web video player" app(s) that live outside the browser, will certainly not support niche platforms, and will very probably be horrible to use.

Personally I'm fine with that (I don't care about their brain-dead "content") but I can understand why a lot of people wouldn't be happy.

(Or, y'know, stick with Flash.)
posted by dickasso at 3:56 PM on March 15, 2013


It's best if each company wishing to employ DRM must roll their own crappy insecure player app, so that fewer people consume DRM protected content. If HTML5 makes DRM the default, maybe even youtube will start using it, meaning even some cop-beats-up-innocent-guy videos get taken down before many people download em'. Proprietary DRM is sucky but avoidable. Standardized DRM will be abused broadly.
posted by jeffburdges at 4:31 PM on March 15, 2013 [2 favorites]


No, this is just for video and similar media content.

"Oh no, I would never abuse this technology." - Businessman
"Oh no, I would never abuse this technology." - Chinese Censor

Anything that extends control will get abused.
posted by sebastienbailard at 6:09 PM on March 15, 2013 [1 favorite]


The internet is far bigger, more valuable and more important than the mainstream content industry.

Well, they continue to insist that they're the rightful heirs to the profits accruing from the previous rights-management model. Whether or not this is true, the more outrageous their demands, the more likely they are to prevent interruptions to the old revenue stream. Who are we to say they can't have the profits they've become accustomed to? Who ever thought we'd see ads on youtube, or ad-blocking apps removed from Google Play? Basically, those big companies are going to insist that the Internet is their playground, and you'll be allowed in if you purchase a ticket. And as long as the public goes along with them, who cares what you and I think?
posted by sneebler at 7:10 PM on March 15, 2013


Flip this around. Would it be bad to have an infrastructure where if someone wants access your data they have to do it on a machine that has privacy extensions, runnnig privacy respecting signed code and they need need to obtain realtime auth from your privacy broker so that you can log all activity on your data. If we demand the same rights on our data that they want for theirs ... it might just be decided that DRM is too hard after all.
posted by vicx at 3:46 AM on March 16, 2013 [2 favorites]


"The purpose of DRM is not to prevent copyright violations. The purpose of DRM is to give content providers leverage against creators of playback devices." - Ian Hickson

I'd imagine most DRM gives studios leverage over their tallent as well by restricting the distribution channels playback devices support.
posted by jeffburdges at 6:25 PM on March 19, 2013


*tries to come up with LOTR DRM joke based on "tall ent" and fails*
posted by XMLicious at 7:18 PM on March 19, 2013






« Older There's something about paper   |   Not so happily-ever-after? Newer »


This thread has been archived and is closed to new comments