And Here We Go: Mozilla Felt Pressured Into Adopting DRM In HTML5
from the a-broken-system dept
We’ve written a few times about the unfortunate decision by the W3C to adopt DRM in HTML5 in an effort to keep Hollywood happy. While Tim Berners-Lee and others at W3C have tried to defend their reasons for doing so, they’re all based on the faulty premise that somehow the internet needs Hollywood more than Hollywood needs the internet. The reverse is true, but Hollywood has convinced too many people of its own importance to the internet. Because of that — along with the agreed-upon fact that today’s plugin/extension system is a complete disaster from technological and security standpoints — the W3C, pressured by a bunch of big companies, agreed to put DRM into the next generation of HTML (and don’t buy their argument that it’s not actually DRM — the only purpose that Encrypted Media Extensions (EME) serves is to enable DRM).
Today there’s a lot of discussion because Mozilla, makers of the popular (and open source) Firefox browser, have posted two separate blog posts about how they feel forced to adopt this DRM even though they hate basically everything about it. Mozilla’s argument is not crazy. They’re worried that by not adopting these standards, while all other browsers do, people will just shift to those other browsers. And beyond just losing market share, Mozilla has a point in noting that the way other browsers implement EME will be less secure than the way that Mozilla is doing it.
We have designed an implementation of the W3C EME specification that satisfies the requirements of the content industry while attempting to give users as much control and transparency as possible. Due to the architecture of the W3C EME specification we are forced to utilize a proprietary closed-source CDM as well. Mozilla selected Adobe to supply this CDM for Firefox because Adobe has contracts with major content providers that will allow Firefox to play restricted content via the Adobe CDM.
Firefox does not load this module directly. Instead, we wrap it into an open-source sandbox. In our implementation, the CDM will have no access to the user’s hard drive or the network. Instead, the sandbox will provide the CDM only with communication mechanism with Firefox for receiving encrypted data and for displaying the results.
Traditionally, to implement node-locking DRM systems collect identifiable information about the user’s device and will refuse to play back the content if the content or the CDM are moved to a different device.
By contrast, in Firefox the sandbox prohibits the CDM from fingerprinting the user’s device. Instead, the CDM asks the sandbox to supply a per-device unique identifier. This sandbox-generated unique identifier allows the CDM to bind content to a single device as the content industry insists on, but it does so without revealing additional information about the user or the user’s device. In addition, we vary this unique identifier per site (each site is presented a different device identifier) to make it more difficult to track users across sites with this identifier.
Mozilla is also making it opt-in — so that everyone will have the choice to choose whether or not to activate the DRM implementation. Also, kudos to Mozilla for not taking the W3C path of pretending that EME isn’t DRM. Mozilla is quite upfront that this is DRM and that they’re uncomfortable with this. As Andreas Gal says:
we would much prefer a world and a Web without DRM…
But, Mozilla feels that users “need it to access content they want.” Mitchell Baker similarly notes:
The new version of DRM uses the acronyms “EME” and “CDM.” At Mozilla we think this new implementation contains the same deep flaws as the old system. It doesn’t strike the correct balance between protecting individual people and protecting digital content. The content providers require that a key part of the system be closed source, something that goes against Mozilla’s fundamental approach.
Unfortunately, it appears that even though this is the case, Mozilla still believes that the internet needs Hollywood’s locked up content more than Hollywood needs to adapt to the internet. That’s too bad. Cory Doctorow has a very detailed discussion of why he thinks Mozilla made a mistake, while acknowledging all of the reasons why they did what they did. More importantly, he lists a number of additional things that Mozilla should do to improve the situation. I’ll summarize those four things, because I agree wholeheartedly:
- Protect security researchers: Thanks to the anti-circumvention provision of the DMCA, any security research into Adobe’s DRM may be a form of infringement. As Cory notes, Mozilla should demand that Adobe issue a covenant not to sue security researchers or developers who find vulnerabilities.
- Educate users: Teach everyone (including Hollywood, but mainly the public) why DRM is dangerous and harms security and privacy online. Personally, I’d add that Mozilla could also teach people why DRM is simply not necessary.
- Research and publish the case for DRM: This goes back to the question of who really needs it. Hollywood thinks they do, but I don’t think that’s really true. As Cory says, Mozilla should look at the actual data to see if there truly is a use case for DRM.
- Formulate and articulate a DRM policy: Basically don’t make these kinds of decisions ad hoc — but have a clear policy on how and when decisions like this get made.
For years, the music industry insisted it needed DRM, and folks like Apple catered to them — and that actually just helped Apple have more power over the music industry. Finally, the music industry shed DRM and it had almost no impact. Today, the book industry has the same issue, demanding DRM… and basically handing market power to Amazon in providing that DRM. It’s amazing that Hollywood still insists it needs DRM. It does not. Unfortunately, it by agreeing to implement DRM here, it means it will take much longer for Hollywood to learn this lesson.