Re: "Enclosed shops" Re: HTML5 and DRM - A Middle Path? from Mark Watson on 2013-08-17 (public-restrictedmedia@w3.org from August 2013)

From: Mark Watson <watsonm@netflix.com>
Date: Fri, 16 Aug 2013 21:44:13 -0700
To: Matt Ivie <matt.ivie@gmail.com>
Cc: "public-restrictedmedia@w3.org" <public-restrictedmedia@w3.org>
Message-ID: <CAEnTvdDFUNoV8UOSvYvqoFRaJQtL7dzFkY_=XW7JMMNf40DVEA@mail.gmail.com>
On Fri, Aug 16, 2013 at 8:04 PM, Matt Ivie <matt.ivie@gmail.com> wrote:

> On Fri, 2013-08-16 at 11:23 -0700, Mark Watson wrote:
> >
> >
> >
> >
> > On Fri, Aug 16, 2013 at 10:38 AM, Andreas Kuckartz
> > <a.kuckartz@ping.de> wrote:
> >         Mark Watson:
> >         >> Would Netflix inform the public or shut down its operations
> >         when it
> >         >> receives a secret order to participate in surveillance by
> >         using a
> >         >> backdoor contained in a CDM which is already installed on a
> >         users
> >         >> computer? (After the shutdown of lavabit.com this
> >         unfortunately is
> >         >> not a rhetorical question.)
> >         >>
> >         >
> >         > That question is somewhat above my pay grade,
> >
> >
> >         You could ask someone who can answer the question. A positive
> >         reply
> >         would definitely be widely acknowledged.
> >
> >         > but my point is that it is no more likely that a
> >         browser-integrated
> >         > CDM contains such a back door than that the browser itself
> >         contains
> >         > the same thing.
> >
> >
> >         That seems to be true for proprietary browsers (and is a good
> >         reason not
> >         to use them), but it is not true for Open Source browsers
> >         because it is
> >         possible to verify that binaries and source code are related.
> >
> >         > And equally, it is no more likely that an OS-integrated CDM
> >         contains
> >         > such a back door than the OS itself contains it.
> >
> >
> >         For the same reasons as given above this is not true for Open
> >         Source
> >         operating systems.
> >
> >
> Let me parse this part of the response:
> > Obviously. I am talking about users who already have access to the
> > content in question today.
> I care little about you and your Free Software. You don't have great
> enough numbers for companies like Netflix to care. Move aside so our
> customers that don't question anything can keep paying for service.
>

Hi Matt,

I'm sorry that you felt my response was dismissive. I did not intend it to
be. Above I was a questioning the assumption that a browser vendor would
choose compromise their security and privacy principles when they integrate
with a CDM and of course this question only makes sense for browsers that
choose to integrate with a CDM. Hence my qualification.

It would be great if all content could be made available to platforms that
are entirely Free Software. Unfortunately, this is not a technical problem.
Some content providers insist on DRM and Free Software proponents reject
DRM. Entrenched opinions on one or both sides would need to change. This is
a technical standardization body and we are mostly standards engineers, not
politicians, so I think it's unrealistic to expect that problem to be
solved here. You can be assured that if I knew how to solve it I would say
so. In the meantime, there are improvements we can make to the status quo.


>
> > If you are unwilling to install code you have not compiled yourself
> > from source, then you are not using Flash or Silverlight today and
> > nothing in this discussion affects you at all.
> Mind your own business. Only speak when spoken to.
>
> > You either lose access to any content nor gain access to any content.
> > I'm sorry that EME doesn't make the content in question newly
> > available to you, but that's not a problem amenable to a technical
> > solution.
> >
> Because Netflix chooses to operate in a business model that requires
> control of how your computer plays media streams, and you've chosen to
> maintain that control yourself, Netflix has chosen to ignore any
> technical solutions that would allow you to gain access to this content.
> Look on the bright side chump, you're not losing access, so quit
> complaining.
>

The requirement for DRM comes from the people who create and license the
content to us.


>
>
> >         > So, EME and DRM are completely irrelevant to your
> >         > concerns.
> >
> >
> >         As we have already discussed for several months now (and we
> >         seem to
> >         agree) it is unlikely that the most relevant CDMs will be made
> >         available
> >         as Open Source. EME and DRM therefore are more relevant for my
> >         concerns
> >         than virtually all other components of an operating system.
> >         EME is the
> >         only specification discussed within the W3C which has such
> >         issues.
> >
> > In the respects we are discussing here then EME is clearly an
> > improvement over <object>.
>
> In what way? To my knowledge <object> only allows for non-free objects
> to be embedded in pages but it doesn't require them to be non-free and
> it certainly wasn't doesn't for that and nothing else.
>

Andreas' concern was that because CDMs are closed source, he cannot verify
that they do not compromise the security of his system or his privacy. He
stated that no other specification within W3C has such issues, but <object>
clearly also raises the same issue even though it merely "allows" non-free
objects. Also <video> allows non-free codecs. Of course you don't have to
use the non-free objects/codecs and this is the same with EME. Sure, EME
differs because there is presently only the rather unpopular clearkey
keysystem that could be non-free, but in the specific respect of Andreas'
concern I don't see much difference in principle.


> >
> >
> >         And to repeat: I am not aware of *any* operating system or
> >         *any* browser
> >         explicitly claiming to enable "silent monitoring". That is a
> >         feature DRM
> >         only shares with (other) spyware.
> >
> >
> > Well, the browser vendors will need to decide whether such a feature,
> > whatever it is, is compatible with the privacy/security promises they
> > make to their users. Again, that approach is an advantage of EME
> > compared to the existing situation where the browser vendors have
> > limited control over what proprietary plugins do and certainly
> > browsers are not making any promises to users about what plugins do.
> >
> No and this is why we need something better than proprietary software to
> solve this problem. You're presenting to evils and expecting everyone to
> be agreeable because one is less evil than the other.
>

All I have ever claimed is that our proposal is better than the status quo.
Your statement above seems to be agreeing to that.

...Mark

>
> > ...Mark
> >
> >
> >
> >
> >         Cheers,
> >         Andreas
> >
> >
>
>
> --
> /* Free software is a matter of liberty, not price.
>    Visit GNU.org * FSF.org * Trisquel.info */
>
>
>
Received on Saturday, 17 August 2013 04:44:40 UTC