Re: Unrestricted publishing in EME? Re: DRM, EDE, CDM, W3C and the TAG:

On Mon, Dec 2, 2013 at 12:25 AM, Tim Berners-Lee <timbl@w3.org> wrote:
>
> On 2013-10 -28, at 05:38, Henri Sivonen wrote:
>
>> On Sun, Oct 27, 2013 at 8:27 PM, Tim Berners-Lee <timbl@w3.org> wrote:
>>> Can we imagine or design a EME system which instead
>>> as usable by anyone as a publisher?
>>
>> I find it *very* distressing that you are talking about making DRM
>> egalitarian in this sense
>
> Ignoring the other forms below, why *are* you averse to exploring opening up closed platforms?

That's a loaded question the presumption of which does not follow from
what I said. I'm not averse to opening up closed platforms.

>> rather than talking about making DRM
>> egalitarian in the sense of allowing anyone to implement and ship the
>> client technology stack royalty-free and without having to get keys
>> signed by a particular gatekeeper
>
> That would meet the open platform requirement.
> How do you think we should do that?

I'm not aware of a way to specify the kind of DRM that one would
expect Hollywood to approve without a gatekeeper. I think it would be
unwise for me to speculate on the feasibility of the royalty-free
part.

So in order to have a platform without gatekeepers, the platform can't
have Hollywood-grade DRM.

>> or talking about making DRM
>> egalitarian in the sense of different suppliers of the non-DRM parts
>> of the stack having a level playing field when it comes to integrating
>> with the DRM part as opposed to DRM component supply getting coupled
>> with the supply of the rest of the client stack.
>
> That is important too, and I'd be happy with an FOSS DRM stack
> but people are skeptical that it would have any affect, not getting enough trust
> from the content owners.   We can only guess of course.

The point of the quoted bit from my previous message was to separate
the supply of the DRM part from the non-DRM browser part. The browser
part could be FOSS. The DRM part can't be.

> Suppose we make a condition of EME going though that there be
> at least one FOSS implementation - would that help?

It wouldn't. There already is a FOSS  implementation of *EME* (in
Chromium), but the interesting part isn't EME but the CDM. Chrome's
Widevine CDM is not included in the  Chromium code base.

>> The reason the W3C is even talking about DRM is that the major
>> Hollywood studios have decided to require DRM and users want to see
>> movies from Hollywood majors so badly that the studios can get away
>> with their DRM requirements. That sort of situation doesn't apply to
>> all publishers. Not all publishers want to impose DRM and many that do
>> aren't publishing content that is in enough demand for people to
>> tolerate DRM on that content. From a health-of-the-Web perspective,
>> there's no need to make DRM egalitarian in terms of making it readily
>> available to all publishers.
>
> You are happy then for Apple to decide what movies you watch on an iPhone,
> Sony on a sony device, etc?

No, I'm not happy about that sort of thing, but that sort of thing
isn't the status quo, AFAIK.

You say that as if Apple and Sony currently imposed that level of
control and as if EME somehow took the control of DRM on iOS away from
Apple. Currently, developers of iOS native apps can license non-Apple
DRM such as Adobe Access
(http://www.adobe.com/support/adobeaccess/pdfs/client/ios_readme.pdf)
or Microsoft PlayReady
(http://www.microsoft.com/en-us/news/press/2013/sep13/09-13playreadypr.aspx).
Do you have a reason to believe that Safari on iOS would support
non-Apple DRM with EME or that it would support Apple DRM with the
matching server-side components available to any publisher? I don't
see indications of non-Apple DRM support coming to Safari on iOS,
Apple DRM with licensable-by-any-publisher server side coming to
Safari on iOS or non-Apple browser engines becoming permissible on
iOS.

Furthermore, any copyright holder can choose to make movies that they
hold copyright to  available on any HTML <video>-enabled system by
forgoing DRM. It's not like any device vendor is blocking any
copyright holder from publishing in that sense.

> The open platform you may not classify as health-of-the-web but when many
> people talk about DRM harming openness, they aren't talking about
> health-of-the-web, but openness of the device.

Do you see EME helping with the openness of devices? How?

>> Any copyright holder is free to
>> participate on the Web already if they don't self-impose DRM.
>
> So using DRM will be the privilege of Holywood alone?
> Well, that's a model.

I wouldn't call it a "privilege".

> If anyone else puts something on the web, then you think they
> will just put it on unencrypted?

If they host themselves, yes. Some movies that are not from
"Hollywood" will probably continue to be DRMed by going through
intermediaries whose hosting platform is built for Hollywood movies
(such as Netflix), even though the copyright holders would never have
had the market power to insist on DRM on their own if they didn't have
the chance to piggyback on stuff built for Hollywood. Maybe services
like Brightcove start offering DRM hosting as a service, but then
indies will see the price tag on DRM, and I expect most to opt not the
internalize the price when shown a clear price tag that they can opt
out of.

> Let's take an independent film.
> What about say http://www.godlovesuganda.com/ ?
> That is not available online from their site.
> Clearly they have the ability to put it up on their website without DRM as in http://www.godlovesuganda.com/film/video/
> Netflix says: "God Loves Ugandais unavailable to stream"
> Maybe that one is too recent, "just in theaters" stage.
>
> Let's look for an earlier one from say http://www.fordfoundation.org/issues/freedom-of-expression/justfilms/film-collection#default
>
> How about the earliest: "The Life and Times of Rosie the Riveter" (1980).
> I see online the trailer and a discussion panel on it.
> Netflix says: "Life and Times of Rosie the Riveter is unavailable to stream"
> iTunes doesn't have it.
> Neither is on you-tube.
> I guess it is not available online.
>
> Currently they are only shown at theaters, they are off the web.
> These may not be good examples.

Indeed, these are not good examples of what kind of movies that EME
would supposedly make available on the Web, since they aren't
available via DRMed services at present. That is, there's no
indication that the unavailability on the Web is a DRM issue.

>> As far as publishing goes, DRM indeed isn't egalitarian in terms of
>> applying it to content, but the W3C would *totally* be missing the
>> point by being uncomfortable with *that* non-egalitarian aspect of
>> DRM. That's like observing that some countries have software patents
>> and some don't and making it egalitarian my making all countries have
>> them.
>
> Bad analogy. Emotive, but not an analogy.

Why not?

> Is it more like noticing that in some countries a monopoly ice-cream vendor controls all the refrigerated delivery vans, and so you can only buy one brand of ice-cream,
> whereas if you separate the business of owning refrigerated trucks from the business of making ice-cream, then all kinds of mom and pop ice cream producers can flourish.
> Maybe the refrigerated vans are patented -- would you then fight against the idea of allowing the market to open up and would you want us all to stick with the ice-cream monopoly?

This a bad analogy, because as noted above, in the case of movies, the
requirement for DRM is not an intrinsic characteristic of the product
but self-imposed by the producer. If ice cream was like movies, mom
and pop could opt not to refrigerate even if refrigeration was
controlled.

If you didn't mean that there are countries where there's a monopoly
on refrigerated deliveries to supermarkets (which country has that
situation?) but meant the sort of ice cream vans that drive to
residential areas and sell ice cream out of the van directly to
consumers, your analogy is bad, because the reason why there tends to
be at most one company providing that service in a given market is
that there isn't enough demand to support multiple vendors
(considering the cost of operating the vans in competition with
brick&mortar points of sale)--not that the mobile refrigeration
technology is controlled (it's over 20 years old).

>> However, even if there is only a little DRMed content that is in broad
>> demand on the Web, whether DRM is egalitarian as far as implementing
>> and shipping the client technology stack matters for the health of the
>> Web. Similar to patents being a problem in term of implementing and
>> shipping the client stack even if patents only apply in some
>> countries.
>
> Yes.  Do you want to push for an RF stack then?

If the codec were RF, too, yes. H.264 isn't, so even if the DRM part
were RF, the entire H.264-using CDM wouldn't be. This would be more
problematic than non-DRM H.264, because with non-DRM H.264 there's the
opportunity to delegate to platform decoders (i.e. pass the problem
down the stack from the browser). With DRM H.264, you don't get to do
this unless the the platform decoder is designed for DRM use (and it
generally isn't except on Windows Vista and later).

>> DRM client implementation hasn't been egalitarian previously in the
>> sense that the DRM parts of Flash Player and Silverlight aren't
>> independently interoperable implementable (as evidenced by Gnash and
>> Moonlight not having the DRM parts), but at least within the confines
>> of each operating system for which Flash Player and/or Silverlight has
>> been available, the playing field has been level between browsers in
>> the sense of browsers being free to independently interoperably
>> implement an NPAPI host. So far, it looks like EME is changing that
>> dynamic and making DRM less egalitarian in that sense.
>
> Sorry, explain.   EME will allow plugins too, no?
> I understood that that was the intention of at least some players.

The spec allows CDMs as plug-ins. It doesn't follow that the market
dynamics will, therefore, result in CDM plug-ins. So far, the browsers
that have shipped EME have come from vendors who control the browser,
the OS and the CDM and bundle all the three together, so evidence so
far point in the direction of a CDM distribution/licensing model
that's not the plug-in distribution/licensing model.

>>> (Clearly, you might think, this won't work as for a system to be so highly
>>> used by both consumers and receivers it would be cracked instantly.
>>> But actually DRM is cracked anyway -- you can play anything over an HDMI cable
>>> and crack the HDMI cable.[1]  So we are not talking about an uncrackable system
>>> anyway. Just one where people will be more inclined to pay for the stream
>>> and less inclined to record it.)
>>
>> Please see the part about HDCP in
>> http://lists.w3.org/Archives/Public/public-html-media/2013Mar/0066.html
>> .
>>
>
> I wasn't saying that EME is like HDCP, just reiterating that no
> system is going to be uncracked for long, no content of interet unavailable
> on torrent etc.  As you say in your message  0066, it is the DMCA
> which blocks that rote for many users, not technology.

Not that much for *users*. It blocks law-abiding in-daylight
*technology providers* from delivering interoperable products without
permission.

>>> Can we while we are at it build a DRM system which is sandboxed so it can't
>>> call home, or is prevented from reading any data bout me from my system?
>>
>> Technically possible. However, it seems that so far, when robustness
>> requirements and privacy concerns have been at odds, robustness
>> requirements have had a tendency to win. That is, at least so far DRM
>> vendors have had stronger incentives to address robustness concerns
>> than to address privacy concerns.
>>
>> Please see the part about DRM running on a higher CPU privilege level
>> than even the browser-visible kernel in
>> https://groups.google.com/forum/#!msg/mozilla.dev.planning/4-svns_uEjA/Hc-eaIfAtUoJ
>> .
>
> Indeed.  "but if you aren't the  one controlling the hypervisor, you don't
> get to make the rules. " .
>
> W3C groups sit at the border of technology and policy.
> In some ways we actually define policy every day when we define what headers etc mean,
> in some ways we leave it to government agencies and legislators.  Maybe we should
> start to put together a package, that we define a world in which either DRM blogs agree not to abuse user privacy, or we make it so that hypervisor writers or a sandbox system enforces such things.  In some ways, it maybe be easier to define it as a code of conduct.
> User pressure in the US or maybe regulation in Europe would then

Would then?

The group defining EME isn't even willing to put its foot down on the
side of privacy *normatively* on matters like persistent storage or
exposure of proof of possession of computer-unique over-time-stable
key material, so I'm not holding my breath for the W3C regulating DRM
designs.

-- 
Henri Sivonen
hsivonen@hsivonen.fi
http://hsivonen.fi/

Received on Monday, 2 December 2013 17:00:08 UTC