Slashdot Mirror
Google Quietly Makes 'Optional' Web DRM Mandatory In Chrome (boingboing.net)
JustAnotherOldGuy quotes a report from Boing Boing: The World Wide Web Consortium's Encrypted Media Extensions (EME) is a DRM system for web video, being pushed by Netflix, movie studios, and a few broadcasters. It's been hugely controversial within the W3C and outside of it, but one argument that DRM defenders have made throughout the debate is that the DRM is optional, and if you don't like it, you don't have to use it. That's not true any more. Some time in the past few days, Google quietly updated Chrome (and derivative browsers like Chromium) so that Widevine (Google's version of EME) can no longer be disabled; it comes switched on and installed in every Chrome instance. Because of laws like section 1201 of the U.S. Digital Millennium Copyright Act (and Canada's Bill C11, and EU implementations of Article 6 of the EUCD), browsers that have DRM in them are risky for security researchers to audit. These laws provide both criminal and civil penalties for those who tamper with DRM, even for legal, legitimate purposes, and courts and companies have interpreted this to mean that companies can punish security researchers who reveal defects in their products. Further reading: Boing Boing and Hacker News.
Google Chrome is not open source. Only Chromium is. And Chromium already has web DRM disabled by default. So you will only have to build Chromium, without any changes to the source code at all.
Or is anyone else getting tired of basic internet tools being turned in to monsters? By that I am talking about FireFox deciding to not trust a certificate, you can't select "Yes, I know, give it to me anyway". EG: StartCom's certs - you can't click past, you have to use another browser.
Another example: Java 8 - I maintain servers. Many thousands of them, all over the globe. No, I can't put valid certificates on them. That would violate compliance in the first place, in the second place, we are talking $many^3 servers. But in Java 8, you have to add the IP to an exception list. Yeah, that's a lot to maintain. So we don't use Java 8.
Please guys that write this stuff - you cannot make unilateral decisions on security and not impact workloads. Yes, the average Internet user is an idiot and needs to be protected, but those non-idiots don't have the hours of time needed to get around your unilateral coding decisions.
Necessity is the plea for every infringement of human freedom. It is the argument of tyrants; it is the creed of slaves.
Now? Where have you been the last 10 years?
It is a question of enforcing a small market share. We want DRM to continue being a "enable it, instantly lose a lot of viewers". Just like intrusive ads (a piece of static text or a picture without spyware javascript coming along with it) are widely considered "evil virus carriers" (which they *are*), we would like EME DRM to be known as such too, with the same self-protection behavior: disable it in the browser (i.e. same as using ad-blockers).
It is the only way to force the industry to find a better way (to deliver content, to deliver ads without compromising your computer and privacy along with it). Otherwise, they will take all they can and reverting a bad situation is always a lot more damaging and difficult in the first place, than avoiding it taking root in the first place.
So, think of it as a boycott call. Because ripping EME out of Chromium (or making it optional again) *is* going to be something the Linux Distros are going to do *anyway* (on the grounds that they don't want to ship the EME closed-source blobs in the first place), that has never been my concern. Besides, I can and will help (I have the skills and I am a member of the community with the right contacts to do it) at least three of the major Linux distros rip it out if necessary.