Re: Campaign for position of chair and mandate to close this community group from Rüdiger Sonderfeld on 2014-01-16 (public-restrictedmedia@w3.org from January 2014)

From: Rüdiger Sonderfeld <ruediger@c-plusplus.de>
Date: Thu, 16 Jan 2014 18:03:39 +0100
To: Mark Watson <watsonm@netflix.com>
Cc: "public-restrictedmedia@w3.org" <public-restrictedmedia@w3.org>
Message-ID: <2102620.YMqZH1t2EW@descartes>
On Thursday 16 January 2014 07:35:57 Mark Watson wrote:
> It's in the future, so of course there is no guarantee.

But if we don't have a guarantee that the EME proposal would make supporting 
additional platforms easy then in what way is it advancing the W3C's goal?

> > The security and privacy properties cannot be controlled by the user and
> > not
> > be controlled by the browser vendor.  It can only be controlled by the CDM
> > implementor.  Which again favours browser vendors who are also CDM
> > vendors.
> > With EME the cost has to be covered by the browser vendor, in a gratis
> > browser
> > market, instead of the service provider with their service fees.
> 
> You're making an assumption about CDM vendor business models. In a
> competing market, the successful CDM will be the one which is more widely
> supported across platforms. It's certainly conceivable that a CDM vendor
> chooses to give away their client component for free and make money from
> the service providers.

But there won't be a competing market on the basis of CDM.  The current EME 
proposal prevents a competition on the basis of CDMs because the browser 
vendor determines which CDMs to support and thus can simply due to the market 
share of their browser make the CDM successful.  Again three of the four major 
browser vendors are CDM vendors.  Including the two browser vendors involved 
in this proposal.  I don't see where there is room for an open market?

And Microsoft has already set an example in the past that they do not agree 
that more widely support across platforms would be in their interest, when 
they denied the request of the Moonlight developers to provide them with a 
PlayReady CDM.

For an open market the EME proposal should require that browsers support any 
CDM over a plugin interface.

> We're repeating a previous discussion, but browsers make certain privacy
> and security promises to their users. The EME specification is clear that
> they are not let off the hook here when they integrate a CDM. Noone should
> expect a browser to integrate with a CDM without a clear understanding of
> its privacy and security properties and then the browser should take
> appropriate steps to protect users, for example clear approval dialogs if
> they deem that necessary. It's also the browser that determines the API
> that the CDM has access to. These sections of the specification are open
> for discussion if people have ideas for improving this.

But the CDMs are not free software so how can there be any such promise?  The 
user certainly cannot verify it.  The browser vendor cannot verify it unless 
they are also the CDM implementor.  The API is not enough to limit the 
capabilities of the CDM.  The CDM (proprietary black box) could extract and 
share any kind of information.  It has been known in the past that DRM modules 
have such behaviour, e.g., the infamous Sony rootkit.

If the EME proposal wants to make privacy and security promises about the CDMs 
then it should require that the CDMs are free software.  This however would 
not be possible with DRM.

> > Not effectively.  There will be only one legal way to implement EME and
> > integrate with CDMs.  And that will be to license a CDM under the
> > conditions
> > of the CDM vendor who will very likely also be a competing browser vendor.
> > 
> >  If
> > 
> > the CDM vendor refuses a license or the conditions are not acceptable
> > (e.g.,
> > not compatible with the software license used by the browser vendor or
> > simply
> > too expensive due to the gratis market for web browsers) or do not cover
> > all
> > use-cases (platforms) then there is no legal way.
> 
> You're making a lot of assumptions here.

What do you mean by "a lot of assumptions"?  I'm presenting several scenarios.  
Which I think are likely because the EME proposal does not make any 
requirements on the CDMs license conditions.  E.g., Microsoft refusing to 
provide the Moonlight developers with a PlayReady CDM; or the price tag for a 
Microsoft PlayReady Porting Kit ($30,000 and additional $0,35 per activated 
application) alone would scare off developers of many smaller browsers; or the 
PlayReady licensing explicitly being incompatible with the GNU GPL; or the 
lack of CDMs on GNU/Linux.  These are not assumptions but facts.

> I do agree that the problem of
> ensuring that browser implementors that are not CDM implementors have
> access to a solution is one of the bigger problems here. We certainly want
> a solution for Firefox, for example, in advance of the end-of-life of
> Silverlight (well, hopefully a long time before that).

Who is "we"?  The W3C and web community?  Providing a solution for Firefox is 
not enough.  This would cover the four major web browsers.  But it would not 
help any web browser with smaller market share.  And in fact it would be 
complicated for Mozilla to distribute Firefox as free software if it includes 
an unfree DRM module.

The EME proposal should at least include requirements for CDM licenses to be 
confirming to the W3C's principles and requirements.

Regards,
Rüdiger
Received on Thursday, 16 January 2014 17:04:12 UTC