Slashdot Mirror
Free Software Foundation Challenges Tim Berners-Lee On DRM (defectivebydesign.org)
Slashdot reader Atticus Rex writes: On Monday, W3C (World Wide Web Consortium) director Tim Berners-Lee released a post defending his decision to allow Netflix, Microsoft, Apple and Google to enshrine DRM in Web standards, arguing that blocking it would be pointless. Zak Rogoff, FSF campaigns manager, writes in the response:
"As Director of the W3C (World Wide Web Consortium), Berners-Lee has the ability to block [the DRM proposal] from ratification as an official Web standard... Of course, a refusal to ratify could not immediately stop the use of DRM, but it could meaningfully weaken the position of DRM in the court of public opinion, and put EME proponents Netflix, Microsoft, Apple, and Google on notice that a very prominent figure was willing to stand up to them on behalf of users. Changes in society's technological infrastructure require political movements, not just technological arguments, and political movements benefit greatly from the support of prominent figures."
Berners-Lee takes the position that "The web has to be universal, to function at all. It has to be capable of holding crazy ideas of the moment, but also the well polished ideas of the century. It must be able to handle any language and culture. It must be able to include information of all types, and media of many genres. Included in that universality is that it must be able to support free stuff and for-pay stuff, as they are all part of this world.
"This means that it is good for the web to be able to include movies, and so for that, it is better for HTML5 to have EME than to not have it."
"As Director of the W3C (World Wide Web Consortium), Berners-Lee has the ability to block [the DRM proposal] from ratification as an official Web standard... Of course, a refusal to ratify could not immediately stop the use of DRM, but it could meaningfully weaken the position of DRM in the court of public opinion, and put EME proponents Netflix, Microsoft, Apple, and Google on notice that a very prominent figure was willing to stand up to them on behalf of users. Changes in society's technological infrastructure require political movements, not just technological arguments, and political movements benefit greatly from the support of prominent figures."
Berners-Lee takes the position that "The web has to be universal, to function at all. It has to be capable of holding crazy ideas of the moment, but also the well polished ideas of the century. It must be able to handle any language and culture. It must be able to include information of all types, and media of many genres. Included in that universality is that it must be able to support free stuff and for-pay stuff, as they are all part of this world.
"This means that it is good for the web to be able to include movies, and so for that, it is better for HTML5 to have EME than to not have it."
"The web has to be universal, to function at all. "
As soon as you introduce selective DRM for selected platforms and devices, it's not universal anymore.
"but also the well polished ideas of the century."
Something with DRM is always never an idea of the century cause it will never last a century before it's not possible to consume that idea anymore: it is locked away with DRM, illegal to decrypt.
Does anyone seriously think Netflix could ever operate without DRM? No DRM, no Netflix or services like it.
I know this opinion will probably be unpopular here on Slashdot, but 20 years of developing web standards and web technologies tells me Berners-Lee is right on this one, from a standards perspective. Our choice, realistically, for some content is between standardized, compatible, cross-platform DRM, or non-standard, incompatible DRM that requires Internet Explorer on Windows with Java or Flash. This isn't about what we think people *should* do, it's about what they *actually* do.
From the 1990s through to today, some publishers have found a need for DRM of one form or another, and over and over again they've asked me to help deploy it. I explain that DRM generally doesn't work and can't work. They then buy some DRM solution based on ActiveX, or Flash, or Java, or whatever is popular at the moment, and I can't see their content on my Linux desktop. The story repeats over and over. How many years could Linux users not access Netflix?
The fact is, companies will implement DRM. Lacking a standard way to do it, most require Flash (which is a security nightmare), Sony installs a rootkit on customers' computers. Most companies *shouldn't* use DRM, perhaps, but they do. A few companies have a strong case of why DRM actually makes sense for their content.
There is no debate about this point - we KNOW companies will deploy DRM without a standard, because the DO. Lack of a standard for web DRM has never stopped them from hacking together really annoying DRM.
Do we prefer a standardized, cross-platform approach developed with input from users or do we prefer the Sony rootkit approach? Those are the realistic options we can actually choose from. The standards bodies can't prevent DRM, they can only offer a reasonable way of doing it or leave publishers to implement it in all kinds of unreasonable ways.
Exactly. If we want more Flashes and more Silverlights, by all means, fight against DRM in the browser. I, for one, do not. I will choose the lesser evil. We're going to need it until we "fix" copyright law, which could take literally forever.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
If the browser doesn't supply it, they'll use a plugin that does, e.g. Flash or Silverlight. So I don't really see the argument for stopping DRM, or standardizing the form that it takes.
Thank you! I believe you hit the nail on the head, as has Sir Tim. Unfortunate, but not surprising, that FSF took the narrow and unproductive view.
> As soon as you introduce selective DRM for selected platforms and devices, it's not universal anymore.
"Selected platforms and devices" is what we get without a standard. We know that because we've tried that for 25 years. How many years could Linux users not access Netflix. When I first got involved with the IETF (web standards group), ActiveX was the popular way to implement DRM. Meaning you could only see the content using Internet Explorer on Windows. Talk about "selected platforms"! Later DRM on the web commonly used Java for a few years, then Flash. Flash-based DRM lasted for many years, and there are still many sites that require the security nightmare known as Flash because that's how they do their DRM.
Note in the above paragraph I never used the word "should". This isn't about what publishers "should" do, or what we'd like them to do. It's about what they actually do. What they actually do is require Flash in the best case DRM, and implement the Sony rootkit in other cases. Of course there are almost as many different ways of doing DRM as there are publishers using it - there is no standard.
On the other hand, we've long had standards for video and images such as mpeg and jpeg. Are those limited to "selected platforms and devices"? No, the entire point of standardization is that a standard can be implemented on any platform and device.
I've personally made the case against DRM to probably 100 of my customers (qho arw publishers) yet so many of them decide to go ahead and use DRM. About half choose a DRM solution that means I can't see their content on my device. Would a rather they each come up with their own incompatible, annoying DRM that doesn't let me view the content, or would I rather they use a compatible, cross-platform standard that anyone can view, developed with input from users? Given the options we actually have, I'd rather be involved in developing a usable standard than have another generation of Flash-based sites and Sony rootkits.
EME proponents Netflix, Microsoft, Apple, and Google
Hey look, all the major browser makers, except one. Users still have a choice in Firefox.
Except that Youtube-owner Google spent hundreds of millions to obtain considerable financial influence over the browser maker thought most likely to resist (Mozilla). And then (what a coincidence!) Mozilla gave in on DRM, and seems perpetually bent on making dozens of other perplexing decisions that users can't stand, and seem outright designed to cost it market share.
Be assured that the other big (if not the main) reason they want DRM is to thwart adblock for videos. If they can compromise your browser/vidplayer to the degree that they've prevented you from even reading the content stream, then they've necessarily also prevented you from altering it.
But as you say, DRM doesn't and can't work. Why the fuck should we bow down to a party that will ultimately lose? There are other considerations, and if they have to go out of their way to use DRM, it will become a more costly approach. Make them pay for buggy, substandard solutions and they'll either get it together or be eaten alive by pirates providing a better experience.
This is my signature. There are many like it, but this one is mine.
What '20 years of dictating web standards' tells me is that TBL has had his shot at it, and it's time for somebody else to get a chance.
But what if I want Flashes and Silverlights to only be installed on other people's equipment who choose to install it?
What if I don't want a Flash and a Silverlight embedded into each and every browser that it's possible for me to use?
I know this opinion will probably be unpopular here on Slashdot, but 20 years of engineering execution standards and execution technology tells me Berners-Lee is right on this one, from a standards perspective. Our choice, realistically, for some executions is between standardized, compatible, execution methods, or non-standard, incompatible executions that require homemade poisons, farming pesticides, or crazy use of electricity in a chair. This isn't about what we think states *should* do, it's about what states *actually* do.
From the 1990s through to today, some states have found a need for executions of one form or another, and over and over again they've asked me to help deploy them. I explain that an execution deterrent generally doesn't work and can't work. They then buy some execution solution based on chlorine, or napalm, or used coffee acid, or whatever is popular at the moment, and I can't have them use my clunky but workable standard executables. The story repeats over and over. How many years could execution users not have access to painfree and cheap standard executables?
The fact is, states will execute people. Lacking a standard way to do it, most states require napalm (which is a cleanup nightmare), Oklahoma injects pesticides into criminals' veins. Most states *shouldn't* use executions, perhaps, but they do. A few states have a strong case of why execution actually makes sense for their criminals.
There is no debate about this point - we KNOW states will execute people without a standard, because the DO. Lack of a standard for execution has never stopped them from hacking up really annoying executions.
Do we prefer a standardized, cross-state approach developed with input from "users" or do we prefer the Oklahoma pesticide approach? Those are the realistic options we can actually choose from. The standards bodies can't prevent executions, they can only offer a reasonable way of doing it or leave states to implement it in all kinds of unreasonable ways.
What if I don't want a Flash and a Silverlight embedded into each and every browser that it's possible for me to use?
It's usually possible to take such things out, or at least block them. What's the problem?
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
I've always thought it better to get a DRM standard in. But i'm anti DRM. Why?
Because we make the studios choose a DRM, put it in everything.. then we break it later. Tada, everything can be easily un-DRMed, and the lawyers can point at licensees and say "DRM is in the spec, we did our part"
and put EME proponents Netflix, Microsoft, Apple, and Google on notice that a very prominent figure was willing to stand up to them on behalf of users
I question whether this position is truly "standing up on behalf of users".
Most users have governments which pass copyright laws predicated on the value of securing, for authors for limited times, exclusive right to profit from their works as a means of encouraging the creation of said works, the volume of which as a benefit for The People.
(-1: Post disagrees with my already-settled worldview) is not a valid mod option.
> Nobody has a EME implementation for ARM, MIPS ...
It will mean the beginning of the Intel-only web.
That is factually incorrect. See Chromium for one open source example. EME can call any CDM, only one is required, called Clear Key. Clear Key is basically "the video is encrypted with AES, prompt the user to copy-paste the key". Clear Key (and therefore EME) can be implemented in nothing more than (clever) Javascript, so any platform that can run Javascript can run EME.
Of course it isn't *normally* implemented in Javascript, but it can be.
Yeah the web has been a complete failure under W3C and IETF. I'd never use the web, and I'm sure you wouldn't either.
If we don't want Flash and Silverlight we should be for having something comparable right inside the browser?
We already effectively do have all the parts of flash right in the browser already except for the DRM. But then since we need to add something else to get the DRM, we end up getting all of those things all over again in some other form and adding a lot of unnecessary attack surface.
It's not like you won't be able to get an OSS build which doesn't have the DRM.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
Yes, but if the only protection is clever javascript, there will be a script to rip the content in -3 seconds, making the DRM pointless.
This is my signature. There are many like it, but this one is mine.
The studios approve two types of devices if you wish to stream their coopyrighted content. One approval is for a hardware device - a phone, tablet, dedicated player (e.g. Roku), Blu-ray player, etc. You submit a sample of this hardware, they go over it and OK it, and authorize you to stream to it. This is why the iPhones got Netflix before Android phones. Netflix had to submit just a few iPhone models for approval, so that happened pretty quickly. They had to submit hundreds of Android phone models for approval, so that took some time.
The second type of approval is for software players. If you want to stream to a software player running on a general purpose computing device, Hollywood has much more stringent requirements. Their fear is that you'll run another program along-side the streaming video that peeks into the memory containing the decrypted stream, and save stream to disk thus giving you a DRM-free digital copy of the movie. Their "solution" is that the DRM and video decode process has to happen inside an encrypted virtual machine, which then sends each frame directly to the display device. They don't want a native Windows or OS X or Liinux binary which does this because someone could theoretically modify the binary before running to weaken or pierce the encrypted VM. That's why the players are coded in Flash or Silverlight (theoretically you could modify those as well, but it's a lot harder since a new copy of the player is sent when you begin streaming the movie).
This insanity is also why playing streamed movies on PC requires much heftier hardware than mobile devices. Because the entire decode process has to happen inside the encrypted VM, you can't take advantage of dedicated video decode hardware built into every GPU since the late 1990s. The entire thing has to be done in software (moreover, software running in a VM). It's extremely CPU-intensive. That's why until recently you needed an i3 or better (Pentium or Atom wasn't enough) to stream 1080p movies from Netflix, Hulu, etc, while your phone with a low-end ARM processor could stream the same 1080p movie with no problems. Because the phone was approved as a hardware device, it's allowed to use dedicated video decoding hardware.
and that's exactly what it is, the closed source binary is called a CDM in terms of the EME standard,
black boxes not specified, but required
even calling it a 'standard' is ridiculous with that fact, 90% of the functionality is not specified
Better to only have to work around one DRM implementation than a bunch of different ones, cause you know they are going to happen regardless.
CSS anyone?
> if the only protection is clever javascript
The protection isn't in the Javascript. The protection is that the content is encrypted with AES. Only a user with the key can decrypt the content. The Javascript is "clever" only in that it manipulates html tags that the browser doesn't natively understand, etc.
> there will be a script to rip the content in -3 seconds,
Absolutely. EME doesn't provide any protection whatsoever against an authorized user ripping the content. That's outside the scope of EME. The one decryption that option that's required to be supported, Clear Key (simple, unadorned aes) *only* ensures the content is available only to authorized users (who have the key). It has no protection against ripping or anything else done by authorized users.
> making the DRM pointless.
Right, there is no DRM in EME, or required by EME. EME is a small set of functions for a browser to find out how it should play some content. That "how" is separate from EME. EME could be used to say "this video is compressed zip version 9, unzip it with a compatible program before playing it". Or it could be used to tell the browser "this video is available in four bitrates and three codecs." Or it could be used to say "decode this video with a module called opendrm". Those things are separate from EME.
> Clear Key will not work on ANY site, so its existence is irrelevant.
It *is* working, and has been working.
It always amuses me when people predict the *past* and still manage to get it wrong.
I hate DRM as much as anyone but lets face it, if he did not ratify it into the standard, DRM isn't then just gonna magically go away.
The only effect not ratifying it would actually have is to ensure the continued existence of a fragmented mess of multiple different actual implementations across different sites.
Still not half as bad as the stupid American date convention of
Month-Day-Year.
> And more relevant to this case, the BSD license vs the GNU license. Generalizing, the BSD license lets you do whatever you want with open source. OTOH if you use GNU-licensed open source to create something, you are required to release what you do as GNU-licensed open source itself.
>
> Honestly I don't know for certain which is actually better, or if one is better in some situations, the other better in other situations.
It seems to me that each fits different needs slightly better. Certainly, the GPLv2 has been wildly successful, with Linux and millions of other software packages. We all know what the BSD licenses are, more or less, so apparently they are successful too - you don't know about the Morris Public License, because it wasn't successful. What I choose for a particular project depends on my goals and how I expect it to be used.
We'll see how GPLv3 does compared to GPLv2. Personally, I don't use GPL v3 at all, if I have the option.
>Do we prefer a standardized, cross-platform approach developed with input from users or do we prefer the Sony rootkit approach? Those are the realistic options we can actually choose from. The standards bodies can't prevent DRM, they can only offer a reasonable way of doing it or leave publishers to implement it in all kinds of unreasonable ways.
EME is neither a viable standard nor is it in any way cross-platform and there was zero input from users. The input came from Adobe, Microsoft, Google, etc.
EME is basically something like NPAPI. it has a few API/html statements and is otherwise a proprietary blackbox for only very specific OSes, browsers, etc.
In this it works exactly 100% the same as Flash did: both have the same propeties.
EME is one of the unreasonable ways.
Exactly. If we want more Flashes and more Silverlights, by all means, fight against DRM in the browser. I, for one, do not. I will choose the lesser evil. We're going to need it until we "fix" copyright law, which could take literally forever.
One political revolution will end it pretty quickly. For some reason the US thinks they are immune to such a change, even when they see it happening all around them.
The only thing worse than a Democrat is a Republican.
What? He had nothing to do with DNS, that's all pre-the web. I used to use the old uk.ac.someuni.somemachine conventions on JANET in 1990, then we bridged over to the internet and had to start using the other one. Definitely pre-web.
I would happily support DRM that actually cared about customers' rights. I want the guarantee that, like physical media, DRM-protected content will be available in the far future. Blu-ray already fails this test, and I only purchase Blu-rays to strip the DRM and save a long-term format. I want the ability to gift, loan, or sell any media that I possess the rights to. I don't want to possess merely a ticket which grants me admittance to content for a limited time, under limited conditions, subject to the dissolution of whatever producer, licencor, or operator manages the DRM scheme.
Because piracy has absolutely no effect on 99% of customers I am fairly certain that what content producers/licencors truly fear is "casual piracy" and fair use like loans and libraries where market forces drive the resale cost of digital media down to its natural price in the free market.
It's perfectly natural to resist inferior DRM schemes by refusing to make them standard. If you want me to support an open DRM standard then it needs to be capability based with normal customers like you or me represented as first class owners of those capabilities and implement a durable scheme for transfer of those capabilities into the indefinite future.
For example, consider a ownership-based scheme where producers issue N digitally-signed capabilities to a particular copyrighted work and sell them to customers on an electronic marketplace. Bitcoin has proven that it's possible to maintain a globally consistent transaction ledger of ownership of individual tokens, and a much cheaper implementation could maintain ownership and facilitate programmatic transfer of capabilities to digital works (to support sales, gifts, and even temporary loans) because the marginal value of acquiring more than one capability to the same work is zero and so there will be little need to spend gigawatts of electricity maintaining the blockchain against adversaries. The copyrighted work doesn't even have to be encrypted. Just make standards-compliant devices/software require current ownership of a capability to use the work. Yes, this is an easily defeated scheme for pirates, but so is every other DRM scheme. At least this respects individual property rights, the first sale doctrine, fair use, and libraries for the vast majority of users.
Quite clever. Let's be a tad more clear. Is there something you saw tried regarding death penalty policy that has worked so well in Oklahoma that you want to apply the same approach more broadly?
Or are you pointing that the approach you favor for all issues has utterly and completely failed when applied to the death penatly debate?
The W3C Encrypted Media Extensions only defines a way to use Content Decryption Modules (DRM) but there is no definition for the the modules themselves. If their interface and format were 100% defined then that would be ok. However, they have specifically gone out of their way to avoid defining CDMs because they want to make CDMs platform specific and be able to reach deep into your operating system to "verify the environment". Just say they can have the EME if they completely define the CDMs and suddenly you will have exposed the fight for secrecy.
Anons need not reply. Questions end with a question mark.
WE DO NOT NEED THE CONTENT.
The content is something we will find with or without them.
Then why do pirates keep ripping the latest Hollywood blockbuster, Game of Thrones season or Adele single, instead of all the other stuff that was around before?
You might not need the content, but apparently plenty of pirates want it, and certainly plenty of people will pay to get it in other ways that maybe aren't so amenable to ripping it off.
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
Because they've already ripped the other things, and in many cases, much of the older stuff has exceeded a lot of its relevance. And of course, if it's legal, its not considered pirating, and thus you are simply an archivist.
That has nothing to do with the asymmetry in the struggle here. Movie studios are trying to make copying machines not copy so they can share media that can't be shared. They have to give the keys to the user, but can't let the user have the key. By contrast, the pirates want to copy and share the media and key with the copying machines. One side has a much easier task than the other.
This is my signature. There are many like it, but this one is mine.
One political revolution will end it pretty quickly. For some reason the US thinks they are immune to such a change, even when they see it happening all around them.
If we do have a revolution, I doubt we'll even get around to fixing copyright. It'll just be a new gang of assholes in business soon enough.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
The language is not good, alright. but parent makes a valid point.
I would really love to see someone enlighten me on why it's downvoted to -1 for any reasons other than that.
Moderating "-1, Disagree" is simple censorship. Have the guts to post your opinion. -- Spazmania (174582)
Your framing, as with anyone who says DRM is somehow necessary, is giving into those who would take away the freedom the web was built on. I'd rather have a free web than a web DRM-based business owners feel more comfortable with because I value my freedom.
Even in the narrow terms defended by DRM quislings DRM doesn't work to exclude those who share copies of DRM'd works; virtually everything Netflix publishes is available gratis online anyhow. So what we end up is the very divided web DRM proponents claim will be avoided with DRM. Thus this debate isn't really about pursuing that alleged unification. Better to push for the freedom that got us to the point where businesses took an interest and sought to divide and conquer.
Digital Citizen
Do you or do you not understand what "IN GENERAL" means? Also, I wasn't talking about only me possibly someday needing DRM for something; the current data indicates that no one actually needs it for anything. Not to mention that since all existing DRM systems seem to have major flaws, it follows that the tech should perhaps be perfected before anyone uses it. Finally, the last gasp of copyright idiocy should happen about the time someone invents a way to stimulate the average human brain to do something known as "eidetic recall". Every song you've ever heard is already in your brain, and it can be perfectly recalled, no iPod or equivalent needed.
Indeed. It's worth nothing that both Chrome and (soon) Firefox will banish plugins, ensuring that whatever DRM exists out there will have to be built into the browser through political clout and sponsorships. That means if you don't like the DRM, you have no ability to uninstall it, or possibly even disable it.
At the very least, we need a standard mechanism for managing DRM, which hopefully means being able to turn it off.
Tim Berners-Lee is over 60 now. He's well into the age where one knows which battles can be won, which cannot but be lost and which aren't worth fighting. Fighting DRM at this stage is futile, it's been a lost battle since a long long time. We might have had a better deal but this is better than nothing. It's easy for a basement-dweller neckbeard to type "no compromises" with their pudgy fingers on dorito-encrusted keyboards but out here in the real world we have to deal with armies of lawyers and lobbyists, and a public opinion that could not care less. We can play ball and accept DRM or the Internet will be balkanized (it's already happening) or simply turned into a larger version of Facebook, and into a million little walled gardens. Sir Berners-Lee is a realist and is still pushing for an Internet that, though not as free as we hoped it would be, is still better than the alternative. Make no mistake, the opposing side here as ALL the advantages, and despite what some deluded comments here say, we do NOT have the advantage of numbers. Maybe in the '90s it was true but not it's no longer the case. It's time to grow up and accept a compromise that still allows us some freedom of movement rather than be completely defeated.
Attacks the man not the ideas.
Requiem for the American Dream
If we are going with rolling stone metaphors, I'd call the pro-DRM side Sisyphus and be a lot more accurate.
This is my signature. There are many like it, but this one is mine.
Having it in a browser only "means" something if the DRM code is freely available, unpatented, and can be implemented by anyone.
Which is exactly what we are talking about, unlike the rest of your post.
Just like I can install a freely available and implementable by anyone SSH client, which does not include the key files to access your data, this very discussion is on freely available and implementable by anyone DRM encryption that similarly does not include the key files to access just anyone's media.
So unless your complaint is that OpenSSH is not open software due to not including a private key to access my servers, I fail to see why you would object like you are to open DRM standards that work the same way.
Again I refuse to run Flash in my browser due to the choices and desires of people like you, and will continue to refuse to do so.
it's sad DRM is needed, but people are responsible for that themselves. If people would never have ripped copies then DRM would never have been needed.
Now, for the internet to be "universal", that's just a load of crap, as a lot sites do not work acros a lot of browser, mostly they only work in the webdev's favorite browser (which mostly is Chrome or Safari), even though those browsers are acting more like what dev's in the past accused IE6 for doing (going beyond the defined specifications)..
His point was that DRMing the browsers was equivalent to having Flash and Silverlight in every browser that it's possible to use. I agree with him.
You're both wrong. Flash and Silverlight come with vastly more than DRM. If anything, it's like having a small part of one or the other of them in the browser. You can still object to that if you like, but it's not the same thing.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"