Formal Objection: Keep The Web Open And Free - Abolish DRM As A Standard

[ndugger]

I realize this is late to the party, but with new articles and issues popping up recently, I feel it's an appropriate time to re-open discussion on the negative impacts of the EME standard on our free and open web.

---

The introduction of EME (DRM) has created a closed web. It is no longer feasible for "indie" browser developers to fulfill the contract that the w3c has laid out before us. It's a real shame that we let big companies bully an entire free and open platform into closing its doors. This is the end of a free and open web.

https://boingboing.net/2020/01/08/rip-open-web-platform.html https://blog.samuelmaddock.com/posts/the-end-of-indie-web-browsers/

I recommend that we either petition to abolish DRM from browsers, which is unlikely, or we petition Google and Microsoft to make their CDMs more freely available.

Microsoft's fees for use of PlayReady are completely asinine, and apparently Google's communication surrounding Widevine is sparse and inconsistent.

If you say that you're free to implement your own CDM, feel free to take a look at Widevine's architecture: https://web.archive.org/web/20180122175750/https://storage.googleapis.com/wvdocs/Widevine_DRM_Architecture_Overview.pdf -- It's not so simple.

The barrier for entry should not be so high to the point of being unattainable.

See https://github.com/w3c/encrypted-media/issues/379

Discussion around this subject has been closed previously with a remark leading to a page of meeting notes from w3c: https://lists.w3.org/Archives/Public/public-html-media/2017Jul/0000.html

Given all of these considerations, the Director feels that this objection was addressed.

I reject the notion that this has been adequately addressed.

Either the platform needs to change, or the companies abusing their power to monopolize the platform need to change.

[jbis9051]

I recommend that we either petition to abolish DRM from browsers, or we petition Google and Microsoft to make their CDMs more freely available. Microsoft's Apple's fees for use of FairPlay are completely asinine, and apparently Google's communication surrounding Widevine is sparse and inconsistent.

Getting rid of DRM could have undesirable consequences. Netflix, Amazon Prime Video, Spotify, Apple Music and many other streaming services all use DRM. Much of their content would probably not be available without DRM, especially the offline features offered.

Getting these companies to make DRM free is great and all but instead, I support the creation of a free open source DRM solution. Chromium, Firefox, and WebKit are all open source projects so we shouldn't have a problem adding the feature once made. However, making it maybe difficult. After some attempted research, it is extremely difficult to find any information regarding how Widevine or FairPlay DRM actually works under the hood. There is some general information about Content Decryption Module (CDMs) and such but how it actually works seems to be a mystery. This is probably intentional as I suspect much of DRM is security through obscurity which is another reason why an open source solution maybe difficult to make. If we go this route, one thing to remember is that DRM is never going to work perfectly after all the client some how needs to decrypt the files and display them and therefore there will always be someway to break the DRM. It's job is too make it difficult and discourage people from trying to break it.

---

Update: After more research and a question on SE, it appears DRM is "99% obfuscation" so an open source solution isn't possible.

[forresthopkinsa]

Getting rid of DRM could have undesirable consequences. Netflix, Amazon Prime Video, Spotify, Apple Music and many other streaming services all use DRM. Much of their content would probably not be available without DRM, especially the offline features offered.

Their content is always going to be available to the web, or else they'll go out of business. If the web doesn't have DRM then they'll figure out some other way of appeasing the MPAA etc

I don't know enough about DRM to be able to offer any insight into what Jbis was saying about how it works under the hood, but we all know that security through obscurity is nonsense.

On the other hand, open-source security only works if the community has a vested interest in keeping the software secure, and I think DRM is probably the least popular class of security software. In fact, it may be the only software that the community, given the opportunity, would actively work against.

But that's just conjecture; if people were really motivated to placate the copyright holders then they might work together to make a good open-source DRM, but I guess I'd have to see it to believe it.

tl;dr: DRM and Open-Source are fundamentally incompatible concepts, so it would be a challenge to make them work together

[tidoust]

@ndugger, this repository is managed by the Media Working Group. Per charter, that group is scoped to maintenance and four additional features for EME listed in the charter. Anything else is out of scope for the group. Your comment goes beyond what the group can possibly address. As such, the group can only record your comment and pass it on to the Director next time it sends a transition request for the specification.

In any case, requests to specific companies should be brought to them directly, e.g. by filing bugs in their respective issue trackers.

I note, looking at the title of this issue, that communication in this repository is covered by W3C's Code of Ethics and Professional Conduct.

[ndugger]

@tidoust Thank you for your response. I have modified the title to conform to the code of ethics. Would you have any recommendations on how/where to present this issue in a place more fitting?

[paulbrucecotton]

@ndugger

Several of your concerns were dealt with by the W3C Director in 2016-2017 when he approved EME V1 as a W3C Recommendation. I recommend you review the history of the previous Formal Objections [1] on EME and how they were dealt by the Director [2].

[1] https://lists.w3.org/Archives/Public/public-html-media/2016Sep/0003.html [2] https://lists.w3.org/Archives/Public/public-html-media/2017Jul/0000.html

Paul Cotton Former W3C Chair HME WG

[ndugger]

@paulbrucecotton Thanks for responding! I read the director's response in the July 2017 notes, and I stated in my post that I reject the notion that this issue has been adequately addressed.

Having such a substantial standard be "voluntary" (I realize all standards are voluntary, but so far none have been as problematic as this) is not satisfactory, as it limits the ability of newer/smaller browsers to compete in the space. If a standard is not implemented, then the browser is not fully compatible with the web platform, and users would need to use multiple browsers if they wanted to use services like Netflix, which is just going to hamper adoption of newer browsers.

[vladimir-kazakov]

Having such a substantial standard be "voluntary" (I realize all standards are voluntary, but so far none have been as problematic as this) is not satisfactory, as it limits the ability of newer/smaller browsers to compete in the space. If a standard is not implemented, then the browser is not fully compatible with the web platform, and users would need to use multiple browsers if they wanted to use services like Netflix, which is just going to hamper adoption of newer browsers.

EME helps player developers to work with different CDMs (from Microsoft, Google, Apple, etc.) in the same way. It's an interface for interacting with any CDM that implements it. You propose to remove EME, but what it will give you?

As it already was mentioned, removing EME won't change anything regarding DRM, because content owners still will need to protect their content. DRM is the best approach that they know about. Without EME, web browser developers that also own CDMs will either start using proprietary plugins (like Silverlight and Flash) or make CDMs the part of web browsers. Neither of these is good for everyone. Viewers will still need a unique web browser (maybe also with a unique plugin) to watch what they want. CDM owners will need to create plugins, which is not simple, considering the amount of web browsers in the wild. Player developers may lose the single interface to work with any CDM, which will make their life even more complicated.

It doesn't matter whether EME exists - you, as the new web browser developer, will have the same problems. What are the chances that Microsoft will create a plugin (or adapt their CDM) for your new web browser, which is used by your friends only?

I support the creation of a free open source DRM solution. Chromium, Firefox, and WebKit are all open source projects so we shouldn't have a problem adding the feature once made.

Adding a new DRM system to the existing ecosystem won't solve any problem, and will make the ecosystem even more complicated. Today, in order to make protected content available to as many platforms as possible, content owners have to explicitly support as much DRM systems as possible. Since it may be complicated and expensive, often they choose to support only a subset of DRM systems that will cover the majority of viewers, which don't use the latest hardware and software, which will be needed to support the new DRM.

Speaking of hardware (devices), you focus on web browsers while talking about the new DRM system, but the majority of viewers don't use web players and EME. They're on mobile devices, watching content through native apps, which use native platform capabilities. So, if you want your new DRM to be popular, you'll have to add support for all devices that viewers may use. Not only new devices, but already released ones. If you can't do it, there still will be a need in old DRM systems, which, compared to your DRM system, already used successfully, and already popular. Another reason to not complicate everyone's life with your new DRM system.

petition Google and Microsoft to make their CDMs more freely available.

This idea is probably the only one, which would make everyone happy. Google's Widevine CDM is already used outside of Chrome, in Firefox and Electron. If DRM system owners (CDM developers) would make it possible to use their CDMs in different web browsers (which Google already partially did; in fact, their CDM can even be freely downloaded), new web browsers could use them to play protected content. That said, it has nothing to do with EME and this issue tracker.