W3C home > Mailing lists > Public > www-tag@w3.org > November 2013

Re: Unrestricted publishing in EME? Re: DRM, EDE, CDM, W3C and the TAG:

From: Eric J. Bowman <eric@bisonsystems.net>
Date: Tue, 5 Nov 2013 18:43:24 -0700
To: Tim Berners-Lee <timbl@w3.org>
Cc: "L. David Baron" <dbaron@dbaron.org>, www-tag@w3.org
Message-Id: <20131105184324.eb0b727e9bc7df9ed11dc6b2@bisonsystems.net>
Tim Berners-Lee wrote:
> Eric J. Bowman wrote:
> > Tim Berners-Lee wrote:
> >> 
> >> Suppose though we could impose constraints on DRM systems
> >> which were attached. One of the many criticisms of current DRM
> >> systems is that they are controlled by a single bottleneck vendor,
> >> in some cases the hardware vendor.
> >> The system protects the content of those who distribute
> >> through the channel, but the channel is a single one,
> >> and so not everyone can play.  Some assume that any
> >> EME system must be like that -- but does it have to be? 
> >> 
> > 
> > Why make it easier for this hideous concept to procreate?  Not
> > having a DRM framework in HTML at all would hasten the demise of
> > DRM, which seems a much more desirable outcome than wasting *any*
> > bits defining a framework to perpetuate such nonsense.
> Whether it would hasten that demise or a question of forecasting the
> future under a lot of uncertainty, and others suggest having the DRM
> more open and more standard would hasten its demise as it would
> whittle down the proprietary non-open-source-able bits to a minimum.
> We will never be able to know what will happen in advance for sure,
> but also we can agitate rather than just sit

The demise of DRM is an easily-observable trend, amongst many of DRM's
formerly-strong proponents.  The only surprise is that it took so long
for those with six-to-eight-digit salaries to realize what's long been
obvious to anyone with $5 of common sense:  any business model based on
suing one's own customers for sharing, is inherently unsustainable.

It's the very uncertainty of the future which should make us question
any assumptions behind an effort to buck such a trend (aside from my
personally not wanting to see w3c adopt Microsoft's "embrace-and-
destroy" tactics).  Didn't Vince Gilligan recently credit BitTorrent
(well, maybe not directly) for the early success of "Breaking Bad"?


Despite an almost total failure to provide content the way consumers
want to obtain it, isn't Hollywood more profitable now than it's ever
been?  While this gives them the power to go against what the free
market is demanding, shouldn't we hesitate before giving them tools to
achieve business goals based on such easily-refuted assumptions?

Particularly when doing so could be construed as interfering in the
market, i.e. protectionism?

> >  Any framework (e.g. EME) is
> > guaranteed to be at the mercy of the underlying DRM, unless DRM
> > itself is somehow re-engineered to be less nefarious -- which
> > contradicts the business goals of those who insist on DRM in the
> > first place.
> Well, there is the business goal of preventing people copying a
> stream of video,

Which is a technically-unobtainable goal, and not just due to the analog
hole.  More disturbingly, such prior restraint violates my right to
free speech, via Fair Use, as repeatedly established by the Supreme
Court every time the entertainment publishers sought to destroy content-
copying technology from the DVR all the way back to player-piano rolls.

An obtainable business goal would be to adapt to the disruptiveness of
the Web instead of fighting it, by providing content the way users want
to consume it.  This may be empirically shown to achieve the goal of
reducing piracy to a negligible level.  Rather than try to prevent
humans from sharing, remove their motivation... no DRM required.

I find most interesting, the game that was released on DRM DVD, and DRM-
free gog.com.  The BitTorrent rip is of the DVD.  Why is there no
market demand for a rip of the DRM-free release?  It's the same game.
For this and other reasons, I'm highly suspicious of claims that only
by preventing copying, can piracy be prevented.  The issue isn't that

> and there is a business goal of being the single gateway bottleneck
> agency for everything bought/played/installed etc on a given
> platform. 
> You lump them together.  Suppose we separate them.  We provide a
> system which meets the first but not the second. A company which
> says, "Well, we would have used for EME system to stop people ripping
> our products but we won't because also we want complete stranglehold
> on the whole device" will be making a choice. If it plays that card,
> that is a strong statement both to users and regulators, which they
> could get a lot of push back against.

Or, we draw a clear line for participation in the Open Web, around Fair
Use.  Where the first business goal may be met by adapting to the
market without categorically imposing prior restraint, companies are
able to make the strongest statement possible about respecting users'
rights instead of treating them as criminals (Who are those anti-
piracy warnings on DVDs for, anyway?  Not those who see them, surely.)

This has the benefit of not changing the User-Agent paradigm at all,
vs. the suggestion that it be made into a Publisher-Agent for certain
forms of content (and where does that stop once Pandora's Box is opened
for movies).  If I have a right to create non-infringing derivative
works from an HTML interface, I don't want my HTML User-Agent telling
me otherwise at the behest of ill-informed, or outright deceptive,
content publishers.

Which goes every bit as much against my notion of an Open Web, as
walled gardens.

> Or maybe the tendency will be stronger to release the stranglehold,
> and lead to an open market.

Particularly if HTML doesn't include a mechanism to deny users their
rights.  I don't see how any mechanism which grants a fantasy "right to
engage in prior restraint" to producers, in any way leads to openness
-- let alone has any support in copyright law.  Copyright, as worded in
the US Constitution, promotes openness; as does the First Amendment's
prohibition of prior restraint.  The act of copying itself cannot be
restricted, because not all uses of said copies violate the _limited_
rights granted to copyright holders.

> > 
> >> Can we imagine or design a EME system which instead
> >> as usable by anyone as a publisher? Suppose anyone could set up
> >> an web serve and serve encrypted content to end users without
> >> going through a bottleneck vendor.
> >> 
> > 
> > But, why would I as a publisher want to do that?  It makes no sense
> > to me, to limit (if not remove outright) fair use of any content I
> > publish.
> The live show business model, for example.
> " And it’s never recorded. It’s live and then it’s gone.".
> -- http://www.concertwindow.com/open_faq
> to pick an arbitrary example.

Fraudulent claim, given the analog hole.  Ignores Title 17 of the
copyright act.  Given a private venue under the producer's control,
those admitted may be enjoined from recording; but this right doesn't
exist when broadcasting over public airwaves, or publishing on the
public Internet.  I have a right to timeshift that content at my
discretion, regardless of when it's "aired", unless the delivery
platform is a "walled garden" where the service terms prohibit such use.

I don't recall agreeing to any such restrictions on my rights when I
installed / first used any Web browser.  Therefore it seems to me, that
publishers using HTML must respect my rights, instead of attempting to
impose legally-baseless restrictions on my fair use of their content;
what's worse is when they try doing this just by virtue of my having
viewed their content (i.e. "by virtue of viewing this web page, you
agree to a bunch of BS which would never hold up in court").

> Not because one wouldn't want fair use, its just that currently no
> one has AFAIK designed anything which allows fair use and prevents
> wholesale copying.

Which leads some of us to believe the two are mutually exclusive, and
insist that *any* DRM framework be kept out of HTML.  Mostly because
we've been Web developers long enough to have come to terms with the
fact that anything and everything we create *will* be ripped off by
some lazier developer, somewhere on Earth, at some point.  In my case,
19 years of "view source" doesn't leave me a whole river of tears to
cry for poor lil' old Hollywood refusing to acknowledge this reality,
and either adapt to it or die -- like everyone else who's ever created
content for the Web.  The playing field doesn't need to be unleveled,
let alone for just one class of content creator.

> > Having no bottleneck beats the heck out of supposing anything about
> > making DRM more user-friendly, which seems to me a boondoggle if
> > ever there was one.  The Open Web should require content publishers
> > to adapt their business models to the reality of the Web, not cram
> > DRM-in-HTML down everyone else's throats.
> > 
> >> 
> >> (Clearly, you might think, this won't work as for a system to be so
> >> highly used by both consumers and receivers it would be cracked
> >> instantly. But actually DRM is cracked anyway -- you can play
> >> anything over an HDMI cable and crack the HDMI cable.[1]  So we are
> >> not talking about an uncrackable system anyway. Just one where
> >> people will be more inclined to pay for the stream and less
> >> inclined to record it.)
> >> 
> > 
> > This makes no sense whatsoever.  Those with the wherewithal to crack
> > DRM will do so.  The 99% who don't have the 1337 skillz to record
> > from HDMI are the ones who are inconvenienced.
> Well, a very small community who can crack it,
> a quite small community who will use the crack and put it up some
> place, and a community of a certain size who will pick it up from
> that place. Then, different jurisdictions will give differing wight
> to these as offenses, and the may be pressure to change these weights
> as Hollywood perceives the easiest place to stop this happening.

Exactly why making content available the way users want to consume it,
is so effective against piracy -- there must be some analogy here with
the British Navy using Britney Spears' Greatest Hits to fend off Somali
pirates, instead of force.  Whatever the individual motivation to crack-
and-post, their common desire is to reach more eyeballs.  When producers
themselves reach those eyeballs to the point where most of their viewers
could care less it's on BitTorrent, guess what?  The pirates go after
the next ship.

When the masses aren't inconvenienced by DRM, paradoxically, DRM is no
longer required.  The 99% who lack the skills to record from HDMI are
the ones who download bootlegs from the 1% who do.  I perceive the
easiest place to stop this happening, would be to meet the demands of
the market with legitimate content, instead of ceding that ground to
the pirates and suing end-users.  But what do I know about movies? ;-)

> >  There is no inherent "right"
> > to restrict content playback by player or region, nor to restrict
> > the user's ability to skip ads and whatnot.  There is an inherent
> > right to fair use, and it makes me literally sick to my stomach to
> > imagine HTML providing the means to strip my actual rights, in
> > order to grant fantasy rights to those producers whose business
> > models are obsolete, who should get with the program.
> I'm not really a fan of rights being inherent as in self-evident
> and inalienable. A right is something we chose to have as a society,
> because we decide that we want to live in a world where a a given
> right exists. Some rights are enshrined in laws or constitutions or
> common expectations.

Nobody said fair use was self-evident, in fact it would be hard to find
a right which better fits your criteria.  It's established case law
combining the original intent of copyright in the Constitution, with
the prohibition against prior restraint, a right derived from a long-
standing interpretation of the first amendment.

The right to fair use has been chosen by (US) society, through
countless juries deliberating the issue, the decisions of which have
repeatedly received the constitutional imprimatur of many iterations
of the duly-appointed high court of the land.  Congress tried an end-
run around fair use by legislatively outlawing any circumvention of
anti-copying technology, only to see the Supreme Court carve out an
exception if the circumvention is done in pursuit of fair use, rather
than illicit profit.

To the long line of devices from piano rolls, to Xerox machines, to
VCRs, to DVRs, to MP3 players, I've always added Web browsers as
something else the entertainment publishing industry seeks to restrict
for all the same reasons they've always had, but which have never won
over any jury or higher court.  Without DRM in HTML, participating on
the Open Web would mean Hollywood ceding control of the copying and
playback of their content -- which they've always wound up doing, but
not without a fight, even when entire new revenue streams (home video
rentals) were apparent to everyone else.

So I think the backlash against DRM-enabling HTML isn't entirely about
how awful DRM is as a technology, I think it comes from lots of us who
have been around the block enough times on this issue over the course
of our lives, to be appalled at the notion that w3c intends to give
Hollywood literally its first-ever win over a playback device in the
last place anyone expected.

> So picking rights, I would prefer to live in a world where,
> - I can buy for-pay content from any supplier on any platform equally;

I think DRM-free HTML is the best technical solution to this social
problem; I don't see how EME or any other framework brings this about,
in fact I see quite the opposite happening.  If the social solution is
to entice publishers with built-in prior restraint, the technical
result isn't worth the social cost, IMO.

> - If I have "bought" something I can watch it in any country any time
> offline or online
> - If I have "bought" something I can archive it 
> A solution to the archive problem could be that master keys are just
> handed out to DVDs every quarter, so a year after something is
> released it becomes copyable. Any other ideas?

Yes, they've been tried, though -- how's Wal-Mart doing with
Ultraviolet?  How's the whole model of paying more for a DVD and the
right (which, theoretically, we already have) to a digital copy?  What
hasn't been tried, is making content available in formats modern users
want to consume.  Any revenue lost to piracy, represents to me a
measure of the missed market opportunity on the part of the publisher.

Any sane small businessperson would react by publishing content in a
way that addresses the reasons why otherwise-honest users seek to
download pirated content, then no mechanism is needed to preclude
lawful uses of said content (or delay such uses by a year).

> > 
> > The only users penalized by this approach are the ones who don't
> > pirate content to begin with.  The amazing success of the Web was
> > predicated on fair use by *everyone*, not just those capable of
> > breaking technical barriers.  At least I always thought this was a
> > strength of HTML vs., say, Flash.
> Yes.
> Even changing default preferences is rare for normal users, they say.
> >> Can you imagine a system in which there is some protected code
> >> but it is is sandboxed so the open source operating system can talk
> >> to it?
> >> 
> > 
> > Yes, Flash.  HTML not having a DRM framework wouldn't prevent those
> > content producers with obsolete business models from "protecting"
> > their content.  Those who have seen the light are more than welcome
> > to put their content on the "Open Web" without DRM, using HTML,
> > allowing fair use to potentially make said content viral -- those
> > who cannot imagine how to profit from such virality are free to
> > keep tilting at the DRM windmill.  You know, like iTunes...  Oh,
> > wait...
> > 
> >> 
> >> In fact, such a system has to be directly the screen anyway.
> >> Maybe the EME system should just be the screen.
> >> Can you in fact just build an open source system which negotiates
> >> directly between a HTMI device and the server? 
> >> Maybe this doesn't work -- I am not an expert on this.
> >> 
> > 
> > All I know about DRM handshaking, is it's a proprietary black box
> > which will not function with my obsolete 4x3 monitors, and is nigh
> > unto impossible to troubleshoot/fix when it doesn't work on
> > consumer devices. The best solution for me to play "protected"
> > content on my PC is to crack the DRM (infinitely easier than
> > figuring out why my PC won't play content on my HDTV or my
> > monitors), but most consumers lack the skills to work around faults
> > inherent in the _concept_ of DRM.  Having an HTML framework for DRM
> > will only proliferate such problems, for the majority of end-users
> > who simply can't get DRM to work reliably.
> > 
> >> 
> >> Can we while we are at it build a DRM system which is sandboxed so
> >> it can't call home, or is prevented from reading any data bout me
> >> from my system?
> >> 
> > 
> > What bugs me the most about this entire debate, is W3C's insistence
> > that declaring DRM "in scope" has nothing to do with building a DRM
> > system, and that EME is only an idea.
> In scope means it is up for discussion.
> >  Then you go and talk about just
> > that -- building a DRM system.  
> That is talking.  No one is really talking about how if DRM
> were linked to HTML it could be required to be better.
> People just slam DRM in principle for a load of reasons at once,
> missing an opportunity.

It's hard not to, but I don't see any opportunity missed by keeping the
architectural precept of the *User*-Agent intact.  Sure, most users
don't change default settings, but is that a bad thing?  Or is it a
measure of success, that things pretty much work the way users expect
from one site to the next, that they lack motivation to go mucking
about with settings?  I think the worst thing we could do to those
average users, is to for *some* content have the User-Agent cede
control of the user's lawful actions to the content publisher -- even
with a homogenous mechanism, the end-user experience becomes a variable
for which no configuration setting exists when they *are* motivated to
go looking for one.

> > Or, sidestepping the controversy by
> > stating that EME isn't a DRM system, only middleware, when the
> > arguments against EME are really arguments against the notion of a
> > DRM framework in HTML outright.  
> I'm not making that argument.
> > Which leads me to ask, is it possible to
> > engineer a DRM framework for HTML without also engineering the DRM
> > mechanism itself?  And is that really "in scope"?
> This is the architecture list, where it should surely be in scope to 
> ask if you are going to provide some DRM then what would a fairer
> version?

OK, but before we have that discussion, shouldn't we achieve consensus
on changing the architectural paradigm from User-Agent to Publisher-
Agent, even if we're only discussing one subset of content?  Or, table
the whole idea until someone rectifies the inherent conflict with fair
use?  I don't think there is an architectural solution for protecting
obsolete business models, so I still find declaring this "in scope" a

> >> One of the things I am worried about is that once we allow
> >> a EME vendor to install their own unreadable code, then that code
> >> could report on my media-watching activity, not to mention scrape
> >> up other private data and send it back, as many phone apps do now.
> >> 
> > 
> > Or any other number of potential horror stories, like the fact I
> > can't read an e-book if I travel out of my home country -- and then
> > have to re-download said content on my return.  Keeping such
> > shenanigans out of HTML entirely, seems the prudent way forward to
> > me.
> Can we require of EME systems that e.g. they don't have access to
> location or the network, they just juggle keys?  
> Could we require as policy that it the DRM system is not allowed to
> call home (for privacy, and offline working) and isn't allowed to
> discriminate by location?

I think if you take away what DRM proponents are actually after, there
won't be significant uptake.

> It is an architectural decision.
> Could we specify a DRM system which would be fairer than the
> underlying platform ones we sometimes see.

It's a decision which requires the architecture be redefined to
accommodate it, regardless of the implementation specifics.  I don't
see how DRM gets any uptake from publishers, if it still allows me to
timeshift or archive as I see fit.  When my browser precludes my lawful
use of paid-for content, it isn't acting as my agent.

> > Just what is the
> > definition of consensus, anyway?  If 99% of the community is
> > opposed to the concept of a DRM framework in HTML, does consensus
> > amongst the 1% on EME or some other framework trump all opposition
> > to the concept of DRM-enabling HTML itself?
> Well,  consensus at W3C can be only a part of whatever deployment
> happens, involving browser vendors and media channels. etc making
> their decisions. W3C can design a way, but can't vote that people
> implement it even with a unanimous working group.  It takes pressure
> from different sides to get these companies to make their decisions.
> >> Or can we make a DRM which doesn't have any hardware-protected
> >> code, which is open to being abused, and we rely on the fact that 
> >> most people don't change their computers much -- under that set of
> >> assumption -- which can be used by anyone who wants to stream a
> >> video?
> >> 
> > 
> > Again we're talking about engineering DRM, rather than just a
> > framework for it.  At what point do we recognize that DRM is simply
> > borked? Yeah, I don't change my computer much, but in the past year
> > I've had my Blu- Ray drive, one monitor, and a graphics card bite
> > the dust.  Each instance has required major effort on my part to
> > restore "protected" content.  Which led to frustration with all the
> > black-box crap where you can't even decipher the specs enough to
> > figure out why the HDMI handshake, etc., has gone kablooey -- and
> > I'm an expert!  So I simply installed crack software.  I don't see
> > how a DRM framework in HTML would solve such problems?
> > 
> You are not the average user. 
> Yes, there can be massive problems if you have licence keys on a
> computer and you lose the drive.   Fine if you have a live up to date
> relationship with the supplier, not fine if they are under new
> management.
> There is an ethical argument that once you have paid for something,
> you should be able to restore it from "illegal" copies whenever DRM
> stops you playing it.

Seeing as how it's settled case law, I'd call it a legal argument in
favor of fair use.

> Note none of those problems apply to streamed data.

I'm not aware of any distinction.  A pay-per-view Internet stream is no
different from a pay-per-view satellite transmission -- I have the
right to record it for the purposes of timeshifting and archiving, make
derivative works, etc. like I do for pretty much any content I purchase.

> Maybe DRM will be tolerable by users for streaming, and  for bought
> content, manufacturers will live without DRM.

My fair-use rights are independent of delivery method.  Just because I
start a stream, doesn't mean I intend to view the content as it streams;
I have a right to timeshift.  Streaming providers can certainly use DRM
to enforce a time window for me to view a stream, but what they lack is
any case law which gives them the right to keep me from timeshifting a
broadcast.  I can't think of a use for DRM on streaming video, which
doesn't amount to disrespecting my fair-use rights established by a
century and a half of legal precedent.

> >> Yes, you can argue that if DRM is bad then more [providers using]
> >> DRM is worse but on the other hand one of the bad things people
> >> associate with DRM is the closed market. Can we break that
> >> connection?
> >> 
> > 
> > Yes.  Let DRM die.  
> That's not separating them, which is what the mail is about.

I don't think it's possible, the one goes with the other -- either
embrace the open market, or fight against it, the choice to use DRM
precludes the former in favor of the latter.  This is by design.

> > It's a borked solution to a non-problem for all but
> > those content providers who insist on using lobbying, legalese, and
> > DRM shenanigans in pursuit of denying my right to fair use while
> > arrogating unto themselves various rights which don't really exist
> > in the first place.  I cannot support granting fantasy rights to
> > producers which destory the actual rights of end-users, there is no
> > technical solution to this social problem.
> "fantasy and actual" -- do you mean rights that are and are not
> enshrined in law?

Exactly.  Hollywood talks about their right to get paid for content,
which is all fine and good.  But then they talk about their right to
implement copy protection, which assumes all uses for copying are
nefarious -- the definition of prior restraint.  Their right to get
paid does not supersede my right to fair use, because their claim of
the right to prevent copying is a fantasy with no basis in law.

Putting a DRM framework in HTML grants a fantasy right (disallowing
copying) at the expense of my actual rights (fair use), without any
requirement that I've agreed to waive those rights beforehand.

> > 
> > I have the utmost respect for you, Tim, but just how much negative
> > feedback is required for you to admit an error?
> I put the subject in scope for discussion.  
> There is discussion happening.
> I'd like to see some attempt to make a fairer DRM system.

Unfortunately, the discussions seem to illustrate this as a foregone

> And someone to show that if we don't put EME in HTML
> the browser makers won't implement a non-standard DRM anyway,
> and if the browser makers don't implement a DRM, that the content
> distributers won't just switch off the web platforms onto native
> apps, making life a pain for users and developers. 

Or, they can dispense with their time-tested empty threats to take their
ball and go home, and embrace the Open Web.  Just like they did the VCR.
Hollywood needs the Web, because that's where the consumers are.

> You have suggested that DRM will just die if not included on the web.
> It's possible but it is not obvious. 

I believe it will die even if it's included on the Web, we'll just get
prolonged death throes.  The market has spoken, and I doubt it will
change its mind in light of "DRM -- now in browsers!", it will just
take that much longer for Hollywood to see the light.

> > I delayed chiming in
> > on this to keep an open mind, based on the fact that *you* were the
> > one taking a position diametrically opposed to my gut instinct re:
> > DRM, but IMHO you've failed to make the case for it; particularly
> > when your position seems to depend on somehow fixing DRM in order
> > to make an HTML framework for it palatable
> Well, designing a system to have properties which we would like to
> have is not crazy.     Let's stop assuming that a DRM system has to
> be like the ones we have now. If by "somehow fixing" we end up with a
> compromise which works for everyone, even for streaming content, it
> will make a system much improved on the current ones,  we have made a
> step toward openness in a different direction.

Let's stop assuming that the solution to piracy is copy protection of
any kind, particularly when it's incongruous with longstanding,
desirable system properties like support for fair use, or User-Agent.
When business models clash so badly with the technical and social
realities of our times, it's acceptable to stand pat on architectural
precepts favoring users...

> > -- seems a sisyphian task which will become
> > obsolete before it's ever completed, when the movie industry
> > follows the music industry to an "open" (as in DRM-free) Web
> > experience.
> It's possible but it is not obvious. 
> You want to take that gamble, that there will in fact not be a
> non-standrad closed-platform backlash.

...because it's the business models which must change, as decreed by
the invisible hand of the market.  Yes, I'm willing to gamble that the
Web scored a decisive and permanent victory over AOL/Prodigy/Compuserve,
although it would be just like Hollywood to fight the disruptiveness of
the Web by adopting an even _more_ obsolete business model in response.

> > 
> > Please, let content producers move forwards, instead of moving the
> > Web backwards to accommodate (some of) their desire to eliminate
> > fair use.
> I would not attribute that motivation myself.
> I don't imagine that any content provider wants to eliminate fair use.
> They just don't know how to stop what they see as unfair use, without 
> in the process eliminating fair use.

Hence, the strong backlash against DRM... if it ain't copasetic to
trample the rights of every customer, lobby like heck for SOPA and TPP
to end-run around 150 years of settled case law -- I think we may excuse
anyone who doesn't trust Hollywood not to see fair use as piracy.  I
don't think it's crazy to call piracy a problem of Hollywood's own
making, and the solution is therefore out-of-scope to the Web.

Received on Wednesday, 6 November 2013 01:43:36 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 22:56:59 UTC