Re: Trust

On Wed, Oct 16, 2013 at 4:30 PM, Duncan Bayne <dhgbayne@fastmail.fm> wrote:

> > > The web is 'the place' for standards-compliant content that is
> > > accessible with anyone with the wherewithal to implement a
> > > standards-compliant client.  It is not a place for DRM-restricted
> > > content.
> >
> > This is your *opinion*.
>
> No, it's the position of the W3C as stated on their website.


Where ? And anyway, what the web "is" is not defined by you or I or the
W3C but by the hundreds of millions of people who contribute to and make
use of it every day. It is through their many and varied decisions of what
content to publish, what services to invent, what sites to visit and
contribute to (including monetarily if they choose) that the web is
defined. No bold statements or manifestos can constrain it, thankfully.



>  Perhaps
> what is necessary is for them to adjust their mission and goals, but
> currently, that's the way it stands.
>
> > I am still waiting for you to get down to details;  I gave a list of
> > pluses and minuses, do you really have nothing to add?  If not, this
> > debate will stay vague and high-level, and probably have no effect at
> > all.
>
> Here's what I wrote originally about this on the W3C blog in reply to
> Jeff Jaffe (
>
> http://www.w3.org/blog/2013/05/perspectives-on-encrypted-medi/#comment-13470
> ):
>
> =====
>  > Duncan, lots of questions, let's see if I can do them all justice.
>
> Thanks :) And I appreciate the job of moderation here too - there's a
> very high signal to noise ratio which I hadn't expected for an issue
> this contentious.
>
> > You ask about how content protection relates to the objective of ensuring
> > the long-term growth of the Web. Of primary importance to me is that
> > people can get access to content - and that we don't have a situation of
> > certain content becoming a walled garden on the web or available only
> > through apps. So that is why we think it is important to address content
> protection.
>
> DRM is software that is designed to restrict a user from playing content
> on certain devices, in certain ways, and in certain locations. I think
> that is the very definition of a walled garden. I genuinely do not
> understand how you believe that supporting DRM will elminate walled
> gardens.
>
> In the best case we will have moved from an ad-hoc collection of walled
> gardens, to an ad-hoc collection of walled gardens with the support and
> moral endorsement of the W3C.
>

You're saying that content on the web constrained by DRM is no better than
content constrained by native apps (and therefore not on the web). I think
what is being claimed counter to that is that there are advantages to
having content on the web, even if constrained by DRM, compared to having
it only available in native apps. For example, there is a wider contention
between the web and native apps and some people feel that conceding this
class of content to the native world would be a loss in that wider battle.
I appreciate that this is a judgement where we may just have to agree to
disagree.


>
> If your concern is genuinely to eliminate the need for apps, and the
> enclosue of content in walled gardens, why not use your considerable
> influence in opposition of DRM altogether?
>

Sad to say, but I don't think the W3C has much influence on whether
content owners require DRM or not. The criteria that motivate that decision
have nothing to do with the web or W3C's position.


>
> > Frankly, I don't understand the question about insisting that compliant
> > implementation respect geographic location. As a general rule, we don't
> provide
> > conformance testing and have no way of insisting what people implement.
>
> That was my point :). The W3Cs mission states that:
>
>     "One of W3C's primary goals is to make these benefits available to
>     all people, whatever their hardware, software, network
>     infrastructure, native language, culture, geographical location, or
>     physical or mental ability."
>
> Breaking down that list, we see that DRM is inimical to several goals:
>
>  * hardware: DRM implementations are known for being hardware-locked;
>  Netflix is the most prominent recent example, re. the ARM-based
>  Chromebook
>  * software: existing DRM implementations are tied to specific browsers
>  and operating systems
>

A goal is something that you move towards. If, for reasons beyond your
control, you cannot fully achieve your goal, there is still value in moving
in the direction of that goal. We should look for solutions that increase
the hardware / software combinations where content can be viewed, but there
may remain combinations that are out of reach, not because of any willful
omission or lack of technical inventiveness but because some *people* have
incompatible requirements that we cannot resolve through technology. In
that case, it's not reasonably to say that because we cannot achieve
everything we should do nothing.



>  * geographical location: many (most?) DRM implementations implement
>  geographical segregation (a.k.a. region encoding)
>

I don't see how EME could play a role in geographic restrictions. These
are usually based just on geo-IP lookups.

The Internet can deliver a packet from A to B independent of the
geographical location of A and B and this makes it possible to create
services that are independent of geographic location. But this is not true
of all services. The Internet cannot, for example, deliver a high quality
video stream in real-time from A to B independent of the geographical
location of A and B - you need infrastructure close to the users. It does
not provide a global method of making payments and it does not provide any
support for offline marketing (and even online marketing is region-specific
because different websites are popular in different regions). It does not
cause government regulations to be the same in all regions. So, when it
comes to providing a paid-for service, with the quality expectations that
come with a paid-for service and the marketing needed to make that viable,
the Internet doesn't provide a completely geographically-agnostic platform,
yet.

Given the above, geography-specific content licensing still makes sense,
because services (and their users) don't want to pay licensing costs for
regions they do not operate in. When the above things are resolved, global
licensing completely makes sense, but it is going to take a while to get
there.


>
> That is, by lending support to DRM, the W3C is helping to ensure that at
> least some web content is restricted by hardware, software, and
> geopgraphical location. This is in direct opposition to several of your
> stated goals.
>

Content is already restricted by hardware, software and geographic
location. There's no sense in claiming we have some counterfactual present
condition where that content is not restricted and the W3C is going to make
it restricted. The proposal is intended to make that content *more* widely
available. There are lines of criticism which say it does not really do
that, or does not do it enough and I accept we should discuss those and
improve the proposal in that respect.


>
> > I also don't understand your question about trust. We have a great deal
> of
> > work in security, for example; much of which is necessary because we
> cannot
> > rely on trusting that everyone always does the right thing. Every time
> that we have
> > less security it actually causes less trust. Your question seems to
> imply that by
> > the ideal system is totally trusting, but truthfully a totally trusting
> system gets
> > hacked all the time and reduces trust.
>
> It was poorly expressed, my apologies :(
>
> To put it a different way: DRM removes control of certain aspects of a
> device that I own, and places it in the hands of another. It does so in
> a manner that could not be less trustworthy: most DRM solutions are
> proprietary, closed-source applications.
>
> This means that I can't rely on others to audit it for me (as with FOSS)
> and I can't audit it myself.
>
> Some DRM implementations in the past have been so aggressive in their
> usurpation of control that they have qualified as malware; the Sony
> rootkit is a particularly egregious example of this.
>
> DRM actively reduces the trustworthiness and security of all machines on
> which it is installed. It has to by design: its stated purpose is to
> restrict the capabilities of a general purpose computer.
>

If we consider machines which have DRM components installed today, then
EME offers some prospect of improving security and privacy for those users.
Noone who doesn't have DRM components installed today needs to install them
as a result of EME.

...Mark



> =====
>
> --
> Duncan Bayne
> ph: +61 420817082 | web: http://duncan-bayne.github.com/ | skype:
> duncan_bayne
>
> I usually check my mail every 24 - 48 hours.  If there's something
> urgent going on, please send me an SMS or call me.
>
>