I know my opinion is not a popular one, but I find these arguments somewhat less than convincing.
The goal seems to be to reduce the spread of DRM. I'm cool with that. However, I'm not sure that these actions will do anything at all to reduce the usage of DRM. My reasoning there is that those who want to use DRM are not going to accept any alternative that is not DRMd. So in order to stop spread of DRM, keeping DRM non-standardized would have to prevent others from adopting DRM.
So the ultimate question for me is: who's going to start using DRM that's not already? I think this set is zero. Adding standardization of DRM won't close up any more content that wasn't closed before, IMHO.
However, by not standardizing, we lock out all sorts of non-mainstream clients form accessing content. Now that Flash is going to disappear entirely, that means no access to all sorts of content on Linux, unless it's standardized.
So I see something to gain, and nothing to lose by standardizing DRM. I'm making assumptions to arrive at that conclusion, but I believe that they're no worse than the ones that Cory Doctorow is making here. It's just weird to see myself diverging from the EFF on this, and on T-mobile, and other things.
Standardization provides endorsement. If DRM requires a non-standard plugin, and plugins themselves become increasingly verboten, at least some folks who might have used DRM may decide that they want to reach a wider audience instead.
Consider what happened when Apple refused to allow Flash on their platform; that certainly accelerated the decline of Flash, or at least forced the development of Apple-specific approaches for that platform.
So what would happen if Chrome and Firefox had stood together in solidarity and said "no"? I don't think the answer would have been a mass exodus to IE; for that matter, what if IE had gone along with it? (Edge already bans plugins.)
>So what would happen if Chrome and Firefox had stood together in solidarity and said "no"? I don't think the answer would have been a mass exodus to IE; for that matter, what if IE had gone along with it? (Edge already bans plugins.)
Google has been a prime supporter of DRM on the web. They bought Widevine a few years ago which is a DRM provider and pushed for inclusion of DRM in the W3C.
It's basically Mozilla vs. the rest, just like it happened with patent encumbered H.264 and Mozilla was left holding the bag.
Yeah, the thing is that Chrome interests are inseparable from Youtube's, and unless they can force the media companies to let go of DRM, like Apple did to music labels, they need some kind of solution. And frankly, what's in it for them?
Apple uses DRM for subscription music, but not music you've paid for a perpetual license; why wouldn't Youtube use DRM (at the copyright owner's request) for music and video when you haven't paid them for a license?
No DRM yet, but Google doesn't allow YouTube downloader extensions in their Chrome Web Store (but allows downloaders for other video sites, how strange :-/).
> The unstated assumption here is that DRM that isn't a standard won't be built into a browser.
That's not the assumption (because DRM already existed in the browser before it became a web standard - remember Silverlight?).
But it's much less work for the entities providing the DRM when EME provides a common standard for them to work with. This lowers the pain (for them) of using DRM, which makes it harder to provide enough pressure on them to stop DRM.
EME commoditizes DRM, for better or worse. Like you said, a EME lowers the pain to adopt DRM. With a standard EME API and CENC (Common Encryption), services can easily support multiple DRM backends or switch DRM backends. I worry that increased competition between DRM providers will lead to an arms race of stronger DRM tech.
EME Standardized the Plugin err "extension" API. It in no way standardizes DRM. The Stardardization is around the way Javascript will be used to call inside HTML5 the browsers CDM (content decryption module" which is a plugin by another name.
There are currently 3 competing technologies, with more to come, that are incompatible with FOSS, incompatible with open systems
For Chrome Browsers there is Google Widevine CDM
For MS Browsers there is MS PlayReady
For Firefox there is Adobe Video CDM (which is basiclly the video playback part of Flash)
This is the problem with EME, Netflix, Google, and Microsoft have been masterful at their marketing of this to people that should be able to see past the bullshit
EME/CDM is still a binary browser plugin, Sure we "eliminate" flash and the need for a "3rd party" plugin, but in many ways that it worse, Before we had a standard Plugin API that allowed non-supported browser to make use of Flash, so there where many many many browser that could call the 3rd party flash application to make use of that content. Now those browsers are completely locked out. You will only be able to Access content on the Big 2, Chrome and IE, and maybe Firefox is they finalize their agreement with Adobe to bring in a Binary Blob into the Firefox Browser
It's worse than that. Competition drives price to zero. That means DRM providers need to get their revenue from some other way. The obvious way is to exploit (track, or worse) the user.
So if these businesses did earn money from DRM, you think they'd go "some extra profit by adding user tracking? Oh, no, thanks, we're good" and leave it on the table? Why?
>those who want to use DRM are not going to accept any alternative that is not DRMd
This is patently false. From 2003 to 2009 music sold on the most popular online store, iTunes, contained DRM. Due to competitive pressure from Amazon's DRM-free store, Apple also dropped their DRM. It once seemed impossible that the major labels' digital music would be sold without DRM, but now that is the norm. Content industries can and have changed their minds on DRM when consumers force them to.
Apple didn't drop their DRM because of Amazon. They wanted to drop it before then, but the publishers in order to promote an alternative to iTunes made DRM-free music available to Amazon first. Apple dropped it as soon as they were allowed by the publishers. It was written into their contract that DRM was required. Steve Jobs talked about this in his "Thoughts on Music" post. It doesn't appear to be on Apple's site now (it was written in 2007), but you can read the whole thing at,
The relevant part is:
"The third alternative is to abolish DRMs entirely. Imagine a world where every online store sells DRM-free music encoded in open licensable formats. In such a world, any player can play music purchased from any store, and any store can sell music which is playable on all players. This is clearly the best alternative for consumers, and Apple would embrace it in a heartbeat. If the big four music companies would license Apple their music without the requirement that it be protected with a DRM, we would switch to selling only DRM-free music on our iTunes store. Every iPod ever made will play this DRM-free music."
Content industries can and have changed their minds on DRM when consumers force them to.
However, it's also worth noting that the music industry is the only major content industry where this has been achieved.
If anything, things are going the other way with video content. There have been stories this week about Netflix cracking down on those who are circumventing region locking using VPNs. It seems big name shows are increasingly being offered via proprietary pay-per-view systems run by their production organisations, and centralised libraries like Netflix are either not carrying the material or dropping content they used to offer. We still have different release dates for movies in theatres in different countries, and for films and TV shows on DVD/Blu-ray. A recent trend seems to be for US TV shows not to release new seasons on Blu-ray at all here in the UK, so you can buy the lower quality version on DVD or you have to sign up for yet another online service to watch in HD, assuming you even have access to such a service from where you live. All of these measures are overtly consumer-hostile, but there is little the consumer who enjoys TV and movies can do if the entire industry moves that way (short of resorting to illegal channels and risking the consequences, which obviously is what a lot of people do in practice).
The software industry is similarly screwed up. We've gone from buying a copy of something and being able to use it, to buying a copy but needing remote activation, to buying a copy but needing varying degrees of ongoing online access to continue using it, to not even being able to buy a copy and merely renting. Personally I draw the line before I get that far, and refuse to pay for any important software unless I can reasonably expect it to continue working indefinitely. Even then, my businesses have been screwed repeatedly by varying degrees of ongoing online access or cutting off support, and slightly surprisingly, the most expensive professional software is by far the worst for this and for fixing the mess is something goes wrong.
I really hope that before too long the law starts to reflect the real relationships with modern technologies, where the original vendor who would traditionally be the main second party in a purchase contract is effectively just providing an introduction to the real other party, which is the organisation that makes the software/service and is (or isn't) going to provide ongoing support and/or retain ongoing control over it. I also hope that smaller, disruptive software businesses who are starting to take on industry heavyweights can demonstrate that money talks and enough customers are willing to vote with their wallets for less one-sided arrangements. But for now, the possibility that industry heavyweights like Microsoft, Adobe and Autodesk are going to give up their vice-like grips built on DRM and related technologies seems more remote than ever, and all of them are pushing hard in the opposite direction.
Apple and Amazon managed to change the practices of the music industry because they had enough power. Netflix has started down the path of building more power, by having their own content. Perhaps when Netflix has enough power they can push back on the video industry.
At least in public, Netflix has claimed that they don't want DRM themselves, and would remove it if they could, but that their content providers require it.
Actually, I think the main reason that music went DRM free was to circumvent Apple's dominance. Since they had by far the most popular portable digital music platform, and wouldn't allow third party DRM on it, the music industry had a choice -- either deal with Apple, or forego DRM altogether.
That's basically what happened. Apple wanted to go DRM-free (see Steve Job's Thoughts on Music letter) and did so as soon as they were able according to their contracts. But before they did, the publishers offered DRM-free music to Amazon first allowing them a head start on Apple.
I think DRM is mostly forced upon Netflix by Hollywood. If Netflix didn't need to DRM every stream, they could reduce their hosting costs and network latency by pushing static video content to CDNs and caching servers. For example, Google hosts YouTube server appliances in ISPs to reduce latency.
While removing DRM would certainly help Netflix, it doesn't stop them from offering such edge boxes already; ISPs can already host a box on their network that supplies Netflix videos to that ISP's customers.
> However, it's also worth noting that the music industry is the only major content industry where this has been achieved.
Video games are a major industry where there was significant pushback from DRM thanks to sellers like GOG. There are still many games with DRM, but the portion that don't use DRM has increased significantly.
I'm personally very happy for GOG's success, but as I mentioned in response to 'Zikes, we do have to keep that in perspective here. Sadly, that "significant pushback" doesn't seem to stop certain big name game developers from pushing out new products that people will still pre-order by the zillion even though the launch of the previous title in the franchise fell over for days because the servers died or some such.
gog.com is an example of the software industry (or video games, at least) eschewing DRM on an ethical/consumer rights basis. They're highly successful, and may well pressure Steam and other similar markets to follow suit if their upward trend continues.
Good point, GOG is another modest success story for DRM-free content. That said, success is a relative scale here: even a hit like Witcher 3, where there is an obvious commercial association between GOG and the developers, only sold slightly more copies on GOG than on Steam, while most big name titles either aren't released on GOG at all or sell many times more through other channels like Steam. If we saw the likes of EA and Ubisoft backing off DRM for their new AAA titles instead of doubling down on it even in the face of some very obvious problems, it would mean a lot more in terms of industry direction.
In an echo of what derekp7 said above about the music industry turning to no-DRM as a way around Apple's restrictions on the iPhone, there are publishers who are turning to DRM-free sales of books directly to consumers to bypass Amazon's control of the Kindle ecosystem. O'Reilly and Packt come to mind immediately, but I'm not sure if it's a function of their audience or I just know of them because I'm in their audience.
EDIT: Which, to the larger point -- DRM is two things, a content play and a platform play. Standardizing DRM is one way to limit the power of platform holders over content providers. Eliminating DRM is another. Deciding whether standardizing DRM is a lesser evil than leaving DRM up to platform holders is a question of who do you fear more, the content owners or the platform owners.
> Standardizing DRM is one way to limit the power of platform holders over content providers.
Half the problem is EME doesn't even attempt to standardise DRM in any real way: it just provides a JS API to deal with DRM'd content, decrypted by some "module" which interfaces with the browser in an undefined way (and in every case except Firefox, does so by bundled with no possibility of any other modules being installed).
Except that the music industry has gone back to DRM. Most people I know consume their music using streaming services these days and I'm under the impression that e.g. Spotify are forced to use DRM by the content owners.
Note that W3C did not standardize DRM in a usable, interoperable form that you'd expect from a standard.
They merely accepted a JS API for launching non-standard proprietary DRM Content Decryption Modules. API of these modules is deliberately undefined and left to be browser-specific.
It's just as standard and interoperable as using W3C's <object> to launch Flash.
There are always people on the fence. I see this sort of attitude appear all over the place, from terrorism to suicide prevention and now DRM. People have already made up their minds, it's said, and they'll do what they've decided to do regardless.
It's just not true. Lots of people are pushed only weakly towards one side or the other. Making it easier to go one way and harder to go the other way will influence where people in the middle end up.
Aha, so encrypted javascript is something new that I've not seen mentioned in any of these discussions!
However, does EME allow encryption of javascript? I thought it was just for playback elements in <video> and <audio>? Searching a bit, I can't find evidence that executable javascript could be encrypted.
I've seen proposals to allow EME to control access to any browser resource: images, fonts, scripts, even HTML itself. The proposals I've seen look a lot like Service Worker, but with an opaque obfuscated container running a blob.
> However, by not standardizing, we lock out all sorts of non-mainstream clients form accessing content. Now that Flash is going to disappear entirely, that means no access to all sorts of content on Linux, unless it's standardized.
Flash is only disappearing because of Web DRM. The situation gets worse for Linux users. Instead of installing the Flash plugin and seeing DRM content through it, now DRM only works if you are using Google Chrome because it's the only browser with Hollywood-approved DRM scheme.
As for users of FreeBSD and other less popular OSes, well Google Chrome doesn't have a build for you, so you lose this content completely.
Netflix and such need Chrome to play videos because of DRM. Well, let me see: Netflix doesn't cache any videos, so if I want to watch something more than once, it's smarter to download it unencumbered.
And then it gets to the point that pirating most of your content makes sense again. If you're going to be a scofflaw, might as well go all the way, and get the good experience from it.
Standardization makes it easy and reliable. If those that insist on DRM need to navigate unreliable, mediocre technology, it requires more development effort and delivers a sub-par user experience, thus leaving the door open for DRM-free competitors.
No, because Google, Microsoft, and Apple could have coordinated on implementing EME even without an official W3C stamp of approval. Or they could have implemented 3 separate APIs for DRM. Netflix and others would be mildly inconvenienced, but that's something they could deal with. As long as content producers insist on DRM, which they do for video, the sub par user experience is going to be with the platforms that don't support Netflix.
Reminder that HTML5 started without an official W3C stamp of approval. (Hell, it started with the W3C membership voting against any further work on HTML, thus the formation of the WHATWG.)
>However, by not standardizing, we lock out all sorts of non-mainstream clients form accessing content. Now that Flash is going to disappear entirely, that means no access to all sorts of content on Linux, unless it's standardized.
That is simply not true. Flash was on the way out with or with out EME, Chrome and IE was already doing it. With out EME they still would have moved forward with their implementations of Widevine and PlayReady respectively.
Netflix would have still switch to it, and Chrome on Linux would have still played Netflix.
EME did not result in "Content coming to Linux" and there is no guarantee it will continue.
It will be up to the individual CDM makers, in this case google, if they want to continue to include the binary blob on Linux. No different than Flash. If google chooses tomorrow to remove widevine from Chrome on Linux, there goes your Netflix and any future "HTML5 EME" enabled websites
Further many other "HTML5" Browsers can not play this content because the binary blob required is not there... making it non-interoperable with any true FOSS gnu/linux operating system. Firefox has to pay Adobe for a CDM Plugin under pressure from their less than idealist users...
"HTML5" as a standard should mean anyone implementing the spec is able to see all content built on the spec. Sadly with the inclusion of EME sites like Netflix can claim to be "HTML5" compliant while still preventing every FOSS HTML5 browser from viewing any content.
That is not a WIN for Standardization, or a WIN for interoperablity
> My reasoning there is that those who want to use DRM are not going to accept any alternative that is not DRMd.
The way to deal with them is by not accepting them in return, and only using alternatives. Losing money bites, and they can quickly straighten their crooked ways out of fear for competition. That's the only method that works for curing DRM disease.
I think standards bodies operate most efficiently when they provide a bit of choice. If some browser writers want to implement DRM in their browsers I would rather it be standardized than not. Simply because the W3C doesn't standardize it does not mean it will not be implemented in browsers. It's not like W3C standards are binding legal documents.
From TFA:
Much of the "Web" is disappearing into apps and into the big companies' walled gardens. If it is to be relevant in the decades to come, it must do everything it can to keep the Web open as an alternative to those walled gardens.
Then remove a reason for the web to disappear into walled gardens and allow the W3C to standardize DRM. Not providing ways for everyone to serve up their content via the web will only accelerate movement to other mediums.
I like the idea of the non-agression covenant. But the obvious problem with it is that implementers of EME don't have to sign it. It looks like it only covers those who participate at the W3C. It's a rather strange legal concept, and possibly unenforceable, but I'll leave it at that.
> My reasoning there is that those who want to use DRM are not going to accept any alternative that is not DRMd.
Of course they will. The big media companies like to posture and pretend they're going to take their ball and go home, but the customers hold all the power in this relationship.
It's not like they are going to leave money on the table by sticking to dying platforms out of a religious devotion to DRM, they just think they can have their cake and eat it too by bluffing.
This spec (W3C EME[1]) has been introduced and heavily lobbied by Google and Netflix.
Regardless of what W3C decides, Chrome won't drop Netflix support, and Netflix for now seems to be hell-bent on having total legal control over which devices are allowed to play their content.
I'm not much of a DRM fan. That said, the W3C has already become borderline irrelevant to the future of the web, as it has been far too slow to standardise everyday technologies that have been widely deployed in browsers for a considerable time. Realistically, actively refusing to cooperate seems unlikely to stop browser developers from implementing new features. It's just going to mean that those features work differently from one browser to another, and possibly that some browsers or platforms won't offer the features at all. Personally, I'd rather the W3C work within the bounds of reality as a moderating influence than have it become a mere talking shop with no real influence at all.
"...the W3C has already become borderline irrelevant to the future of the web, as it has been far too slow to standardise everyday technologies that have been widely deployed in browsers for a considerable time"
This is a bold statement, but one that I'm surprised to find myself agreeing with. I suppose now it's a matter of figuring out what should replace the W3C; things are only going to move faster.
A decade ago, if I wanted to look up how something in say HTML or CSS worked, I'd probably go straight to the W3C site and just read the spec. Today, my first ports of call are places like MDN, caniuse.com, or sometimes places like the Babel documentation or kangax's ES6 compatibility table.
I can't remember the last time I read anything on the W3C site. I do find myself there now and then, but sadly, it is simply irrelevant to most of my daily web development work. What matters in a world with ever-moving goalposts is what browsers can actually do right now, which today basically means which of the evergreen browsers have support currently, which of their LTS releases also have support, and what the situation with IE and possibly older mobile browsers is, as validated by actual testing in each case.
I really wish this weren't the case, because the lack of standardisation and vast numbers of browser idiosyncrasies makes development much more onerous and less reliable than it should be. But the W3C just couldn't keep up, and for now the browser developers seem to be mostly ignoring it as a result.
I don't think that's true at all: there's far more relevant work going on at the W3C than there was a decade ago.
Pretty much the only thing the W3C was working on that affected web developers a decade ago was CSS 2.1 and a couple of CSS 3 modules (Backgrounds & Borders and Selectors come to mind but nothing much else).
Yes, admittedly, it's still more-or-less just CSS work that actually happens at the W3C (with increasingly large amounts of work happening at the WHATWG covering the majority of the rest of the platform, HTML and DOM especially), but the number of CSS modules being worked on is vast, and the quality of the specifications is far greater than it was a decade ago.
As for:
> I really wish this weren't the case, because the lack of standardisation and vast numbers of browser idiosyncrasies makes development much more onerous and less reliable than it should be. But the W3C just couldn't keep up, and for now the browser developers seem to be mostly ignoring it as a result.
Per above, the quality of specifications is far greater than it was a decade ago, and it is (despite the perception of many) still the case that specifications are most of the time always nearly-complete before anyone ships anything (typically the incomplete parts are the bizarre edge-cases that no web developer is likely to ever run into, but there is a real attempt to avoid undefined behaviour), and there's definitely more involvement across the various standards orgs from all browser developers than there was a decade ago, W3C included.
The increasing number of browser "idiosyncrasies" is mostly a result of ever-increasing complexities in implementations (partly down to the increasing complexity and size of the web platform, partly down to new features being retrofitted into implementations that weren't originally designed to do anything like the new feature, and partly down to lack of a good shared, between all vendors, testsuite for CSS).
I am remain hopeful that we're moving towards somewhere better when it comes to interoperability across browsers. web-platform-tests (https://github.com/w3c/web-platform-tests) has got us a good, high-quality test suite for the platform minus CSS, and is run by most but not yet all browsers on a daily basis (and I think it's realistic to hope that by the end of 2016 it'll be run by all browsers on a daily basis, and that for many it will be the place they write tests, hence test suites will basically become shared rather than done separately with different coverage holes for bugs to slip through). csswg-test (https://github.com/w3c/csswg-test) is slowly starting to move towards a point where it'll be as widely run as web-platform-tests (please don't make me think about this too much, I'm finally making progress there, making the same arguments as five years ago but now with the evidence from web-platform-tests that it actually works).
And finally:
> I can't remember the last time I read anything on the W3C site. I do find myself there now and then, but sadly, it is simply irrelevant to most of my daily web development work. What matters in a world with ever-moving goalposts is what browsers can actually do right now, which today basically means which of the evergreen browsers have support currently, which of their LTS releases also have support, and what the situation with IE and possibly older mobile browsers is, as validated by actual testing in each case.
Really that makes it sound like half the problem is the fact that the spec documents give no informative data about what browsers support what features. There's definitely been talk about trying to do something better here, but it's a hard problem: you need some way to gauge support and quality of implementation, across all browsers and across all features. I think there's mostly agreement that caniuse is actually too coarse to really be put anywhere near a spec (because specs are rarely implemented as atomic units—there's normally different statuses for different sections), and that just grabbing test suite results isn't that useful either (because you can fail large numbers of tests due to obscure bugs, or because you've only implemented the awkward 20% not the easy 80%, so you're actually closer to shipping complete support than someone who supports the easy 80%).
(As a disclaimer: I've been around the W3C and WHATWG for quite a while (coming up to a decade), have been employed/contracted for several browser vendors, and was one of the early pushers to get high-quality test suites shared across all browsers.)
For what it's worth, I don't dispute at all that the quality of CSS specs from the W3C has improved over time. However, specs are means to an end, and the usefulness of any spec is inevitably dictated by the implementations that exist.
As a professional, I truly wish this weren't the case, but as a professional, my job is to make a working site, not necessarily a standards compliant one. All too frequently, it is still not possible to do both at the same time, either because browsers don't implement W3C recommendations consistently, or because of the poor quality of implementation you alluded to yourself, or because even when browsers did provide a useful implementation yesterday someone broke it in an update last night and today I'm rewriting something a different way because platinum support customers started calling first thing this morning and get a same day response not a 6 week one.
"Of course I understand that it's the update we just rolled out to our corporate standard browser that broke your standards-compliant and otherwise normally functioning site," said no customer ever. :-)
Didn't we already learn what comes after the W3C? Development of HTML5 was mostly pushed by the WHATWG, with W3C later rubber stamping it as the new version of HTML.
But Google and Microsoft don't need the W3C approval to win; they just get together with Apple and implement it. In fact, we've already seen the browser vendors move ahead of the W3C in the HTML5 spec, forming the WHATWG, so why wouldn't they - except Mozilla - just do that again?
They could have ignored the W3C, but losing in the W3C would have been a significant thing. It would have shown the web community is taking a stand against DRM. It could have helped further battles against DRM.
Instead, by winning at the W3C, Google and Microsoft made DRM's victory as official as possible.
Am I understanding this right that the idea is that if a member of W3C sues anybody for reverse engineering their DRM then they get kicked out of W3C?
I wonder how much of a deterrent that is. W3C needs Google/Microsoft/Apple more than they need W3C. The content producers aren't even members of W3C I don't think. I guess it would be companies that create the encryption plugins like Adobe that could theoretically sue people under the DMCA. I just don't see how the W3C could even function without the biggest players at the table.
No, the idea is that they have to sign a legally binding covenant beforehand, agreeing to not sue. If not then their DRM doesn't get into the standard in the first place.
They lose their court case. I'd imagine it's a pretty simple defence against a patent suit if you can present a covenant by the patent holder saying they won't sue.
I think the security aspect is the best option. If a CEO can't access some proprietary web app and is told "You need to use browser X that supports DRM", then they will be "Why isn't that already installed on my system". But if they are told "The web app uses hidden code that may be insecure, and cannot be audited" then you'll have executives, people in actual power positions, say "Get that stuff off our network".
I don't expect Tim Berners-Lee to agree to this, given he was the one who championed DRM at W3C in the first place.
Also, I don't expect Mozilla to do anything useful, given they went along with it so easily. But then, I haven't expected anything much of Mozilla in a long while.
> I don't expect Tim Berners-Lee to agree to this, given he was the one who championed DRM at W3C in the first place.
The W3C is in a somewhat awkward place, really. To some degree, the W3C is beholden to its member organisations, and if they want to do something it frequently happens. That said, it's easier to refuse to work on something than to work on something the majority of members don't want (HTML comes to mind there!).
> Also, I don't expect Mozilla to do anything useful, given they went along with it so easily. But then, I haven't expected anything much of Mozilla in a long while.
I think people vastly overestimate how much influence Mozilla actually has. Look at how long Mozilla held out against H.264, and all that did was cause them to lose marketshare (because plenty of HTML video simply wouldn't play in Firefox) with no affect on the web as a platform.
Mozilla has influence, not control. That doesn't mean they're not valuable for keeping things from being even more skewed by e.g. being the only non-DRM vendor in the room.
The HTML5 video situation is a bit complicated, too, as H.264 was simply better across the board: standardization, quality, speed, tooling, hardware support, etc. There was only one reason to choose WebM and that was the belief that it might not be covered by patents, which mote optimistism than something you could be rely on.
That point really needs to be fought in the next generation or two where you aren't waiting until the contest is over before getting started.
People need to realize that DRM is simply a tool. Absent pernicious laws like the DMCA, forms of DRM are like fences, locks, and cameras. Such tools can be used to oppress people. The same tools could also be used to protect individual's privacy and act as a check on what organizations can do with people's data.
Those who control products and infrastructure shouldn't be allowed to set up such tools to grant themselves disproportionate power. However, individuals need to realize that such tools could help protect them as well. (Analogy: Camera phones and police misconduct.)
DRM uses cryptographic methods, but I've never heard of a use case where a user chose a DRM product rather than a more straight forward cryptographic product to protect themselves.
Full disk encryption is a better tool for protecting yourself than SecuROM. In fact using SecuROM may well leave you more vulnerable to attack due to it's hacky obfuscation methods.
It's also worth noting that while many DRM systems do use cryptography, cryptography is not required to implement DRM and cryptography alone is insufficient to implement DRM. Cryptography only keeps data away from people who don't have the decryption key - it can't provide a way for people to read the data without copying it. But that is the goal of DRM. Because reading and copying data are fundamentally the same thing, the only way to achieve that particular goal is to modify the operating system so that it lies to the user. That is called a rootkit.
> Doesn't help when you have to share data with companies and governments, and the information ends up on someone else's disk.
FDE was an example among a vast array of encryption products. Attacking an non-comprehensive example as non-comprehensive isn't very enlightening. I still fail to see which DRM product you are suggesting is the proper tool for this situation. Even further, cryptography and careful allocation of trust seem to be a better solution than DRM for disseminating sensitive information since DRM is generally only a barrier, and not robust against concerted attack.
That is to say, if you are disseminating information to untrustworthy sources via DRM, then in the great majority of cases, you can consider the information compromised. Most DRMed content is copyable with as simple a solution as recording your screen. Even HDCP can be defeated with a simple camcorder.
I still fail to see which DRM product you are suggesting is the proper tool for this situation.
I am and always was talking about the abstract concept of trusted execution. As of yet, there is no environment which is trustworthy from a technical or a political standpoint.
Today's society's attitudes towards DRM are like what one would expect from the world of Orwell's 1984 towards cameras. We've only experienced a certain tool's use for oppression, so people's brains have turned off and they can't imagine the implications of the same tool being in the hands of the masses.
To give one practically useful example, the same kinds of technology that could potentially restrict access to content on your own devices could also restrict the use of information in the workplace, preventing the leakage of sensitive personal data due to inside jobs. This is a legitimate and very practical concern for organisations operating in fields like healthcare, finance and defence.
So for example, my medical records might be DRMd with the keys in my possession, and I could give them to a clinic and give them read rights, but the DRM means they would have a hard time sending that data elsewhere without my permission?
I suppose you could do that, though given the nature of medical records, keeping everything locked up so tightly that only the (potentially impaired) patient can give access seems unwise.
I was more thinking that those organisations who do process medical records on your behalf -- your doctor, hospital, etc. -- could and should take steps to prevent the often very large number of staff they have from accessing an individual's records without proper authorisation. This would limit the ability for anything sensitive to be accessed by anyone without a reasonable clinical need for it or to be readily transferred to other systems, as well as creating a robust audit trail of access to sensitive data as well.
That sort of system isn't DRM. Limiting access to data is just regular access control, which is common and works decently well. The unique thing about DRM is that it provides access to data but attempts to limit what you can do with that access, for example allowing you to view it only on certain devices. That's much harder and less useful. I can see how it could help prevent bad actors from causing trouble here, but it's secondary to having proper access control.
The unique thing about DRM is that it provides access to data but attempts to limit what you can do with that access, for example allowing you to view it only on certain devices.
And that sort of thing is what I'm talking about. There are numerous applications where someone has a legitimate need to access certain data under certain conditions and for certain purposes, yet that same person does not need and should not have the ability to do other things with the same data.
And if you think that's not useful, I would remind you that a very substantial proportion of all white collar crime is based on inside jobs.
I was more thinking that those organisations who do process medical records on your behalf -- your doctor, hospital, etc. -- could and should take steps to prevent the often very large number of staff they have from accessing an individual's records without proper authorisation
But that's not DRM! That's regular access control! The whole idea behind DRM is to control what users who are allowed to access the content can do with it.
Otherwise, even UNIX file permissions would be DRM.
Preventing access at all is regular access control.
The technologies that let someone access the data from their PC at the hospital but not, for example, save a copy to a USB stick, are much closer to what others use for DRM purposes.
The best technology to prevent copying data to a USB stick isn't DRM, it's epoxy. (Or, for a more mundane approach, disabling USB storage devices at the OS level.)
That shouldn't ever be necessary. Why does a medical records system need information loaded from USB sticks by random workers?
Edit: if it is for some reason necessary, it's actually easy to allow. Have separate "import" computers set up with accessible USB ports and write-only access to the system.
I suspect you are vastly overestimating how systematic IT in an average hospital or doctor's/dentist's surgery is. Medical IT is a scary field to observe.
Also, we seem to have latched onto medical records somewhere along the line, but please remember my original point was much more general. These technologies are relevant anywhere you have a need for access to sensitive information but also a need to control how that information can be used: finance, corporate R&D, obviously defence and security related fields, criminal justice, and the list goes on.
I'm not discussing how IT at these places is, merely how it could be. We are discussing hypothetical use cases, are we not?
As for the more general point, that's fair, but people keep bringing up things that are not DRM as examples, or use cases where DRM is not a good solution.
I think my original idea of individuals applying DRM to their own medical records is a way better example of how DRM could potentially be useful to protect privacy and give people control of their own information.
You'd think so, but unfortunately many, many systems that deal with sensitive data are not "sensible". Just look at the leaks from some of the most security conscious organisations in the world in recent years.
What if your email correspondence from companies was entirely handled through DRM that you controlled? What if you could revoke the right for a company to use your email? Basically, if such infrastructure were widespread, no company would actually have your email, unless they were to circumvent the DRM. Furthermore, such circumvention would then be covered under the DMCA, and mass circumvention would open up companies to class action lawsuits. (If properly implemented, either lawbreakers could be tracked, or the company that let the protected address fall into the wrong hands would be identified.)
You could not say that such a circumstance would be unfavorable. Typically, people come up with an argument saying that DRM doesn't work, and that such tools wouldn't be available in a true and trustworthy form to individuals anyhow.
Also, email isn't such a great example anymore, but having such control over one's medical records would be desirable.
First of all, you're talking about a doubly edged knife. You wouldn't "actually have" the received email either. Now imagine you're sexually harassed or blackmailed, but couldn't prove it, because your email vanishes just after you've read it.
But more problematic is that you're forgetting about the analogue loophole. As long as I can take a photo of your crappy email, you only have the illusion of safety. Add to that the fact that currently there is no such thing as unbreakable DRM, mostly because it's a fundamentally flawed concept that can't work. DRM is security theater at best.
> having such control over one's medical records would be desirable
One thing that always bothered me is that programmers have the arrogance to think that technology can fix a broken society. Given that DRM is a broken concept, it wouldn't stop global adversaries like the NSA from mining your medical records. And then when your insurance company demands whatever records they want to do however they please, including selling that data to the highest bidder, threatening to reject your contract or claim, good luck explaining them about DRM and control.
You wouldn't "actually have" the received email either.
That's a straw man. The contents of communication would be proof from repudiation, but permission to send would be subject to revocation.
Given that DRM is a broken concept, it wouldn't stop global adversaries like the NSA from mining your medical records.
Begging the question. Our experience so far of DRM is broken. And there are plenty of adversaries below the capability of the NSA people need protection from.
Begging the question. Our experience so far of DRM is broken.
No, DRM as a concept is broken. The whole idea rests on giving someone the encrypted content and the key to decrypted, while obfuscating the way the two are combined in a machine the user controls.
That's why most DRM has been broken, often mere days after release, despite the many millions buried in its development.
This is really less useful of an example than say, medical records. With AD RMS I can ensure every document floating through an organization is protected with RMS, allowing only users with the proper permission access to the document. If someone tries to be sneaky and exfiltrate PHI out of the network it is useless, since nobody outside of the organization can open the file even if they have it. I can also revoke access to specific individuals or groups of people, so even if they had access at one point they can't use it any more.
DRM for documents is more about preventing sensitive data from escaping than it is securing communications between parties. The analog loophole always exists, mind you, so it still only makes life more difficult - but it does prevent mass transmission to a large extent.
What you describe would be way easier to implement by handing out unique tokens to each company, and then revoking tokens on my end. You can even do that right now by using a catch-all address, or the pretty common username+companynameandwhatever@example.com technique.
I do say that email isn't such a good example anymore. Medical records would be a better example. But such tokens would be included in DRM protected addresses, and their circumvention harder to deny. (Tokens by themselves are deniable.)
The goal seems to be to reduce the spread of DRM. I'm cool with that. However, I'm not sure that these actions will do anything at all to reduce the usage of DRM. My reasoning there is that those who want to use DRM are not going to accept any alternative that is not DRMd. So in order to stop spread of DRM, keeping DRM non-standardized would have to prevent others from adopting DRM.
So the ultimate question for me is: who's going to start using DRM that's not already? I think this set is zero. Adding standardization of DRM won't close up any more content that wasn't closed before, IMHO.
However, by not standardizing, we lock out all sorts of non-mainstream clients form accessing content. Now that Flash is going to disappear entirely, that means no access to all sorts of content on Linux, unless it's standardized.
So I see something to gain, and nothing to lose by standardizing DRM. I'm making assumptions to arrive at that conclusion, but I believe that they're no worse than the ones that Cory Doctorow is making here. It's just weird to see myself diverging from the EFF on this, and on T-mobile, and other things.