On Twitter yesterday, Brian Fitzpatrick, a tech entrepreneur, noted that while trying to enjoy the in-flight entertainment on the United Airlines flight he was taking, the in-flight Wi-Fi system told him he need to install its special brand of DRM
. They didn't even try to sugarcoat it with some fancy confusing name. It's literally called the DRM plugin:
In case you can't see the image
, it says:
Click 'Okay' to download the latest DRM Plugin.
After installation playback should resume immediately,
if it doesn't then you may need to restart your browser.
Fitzpatrick kindly sent me a bunch more screenshots and details. That little error message pops up -- along with other error messages -- when you go to watch a movie:
This is part of United's "beta test" of its "Personal Device Entertainment"
option, that allows you to apparently fuck up your computer, just to get access to the short list of films and TV shows that United has contracted to allow you to watch while in flight. The "requirements" on United's website only shows "the latest version" of various browsers (oddly, Chrome is excluded -- which we'll get to) and Flash Player 15 or higher.
Notice that it doesn't say anything about "our own personal malware." The only indication something may be up is in this infographic
that says "you may be prompted to download a plug-in." No biggie.
Fitzpatrick also realized that if you don't have Flash (which is actually a good security practice
) United will helpfully offer to install it for you as well:
Because what's flying the friendly skies without the opportunity to push multiple
pieces of software that might put your computer at risk!
At this point, United will provide lots of detailed instructions on how to install the DRM-you-never-wanted on your machine:
Notice the more detailed instructions to get it to work in Chrome (and the earlier note about how this system doesn't support Chrome)? That's because the plugin is using NPAPI
, which is a security nightmare and is no longer supported
in Chrome for security reasons. As the Chrome team has noted: "NPAPI is a really big hammer that should only be used when no other approach will work."
So, not only is United trying to install unnecessary and annoying DRM on your computer, it's also doing so in a way that it is recognized as being a security nightmare. That's
In the interest of science, Fitzpatrick dug a little deeper and discovered that the "DRM plugin" in question is actually Panasonic's Marlin DRM -- something we actually wrote about
years ago, as an attempt to create an "open source" DRM. Though, amusingly, Fitzpatrick notes that the DRM comes with strong copyright warnings itself:
This Software Product is protected by copyright laws and treaties, as well as laws and treaties related to other forms of intellectual property. Panasonic Avionics Corporation or its subsidiaries, affiliates, ad suppliers (collectively "PAC") own intellectual property rights in the Software Product. The Licensee's ("you" or "your") license to download, use, copy, or change the Software Product is subject to these rights and to all the terms and conditions of this End User License Agreement ("Agreement").
How sweet. You need to abide by Panasonic's rules when you install its security nightmare of a DRM you didn't want, just to watch an in-flight movie.
And, really, after all this, people should be asking but why
? What "threat" model requires United to force dangerous malware onto your computer? And the answer is likely that Hollywood requires it, because to Hollywood everything
is a threat, and the idea that someone might be paying hundreds of dollars for flights and they might also
then make a copy of a movie... well, that's just too much to handle, and they have to first ask you to break your computer and put all your data at risk. Isn't that sweet of Hollywood? Oh wait, no I didn't mean sweet. I meant insane.
I'm sure that United Airlines didn't think through much of this and the details when it agreed to these ridiculous terms. It just thought it was adding an option that sounded
nice. Letting people have access to more entertainment options, including on their own devices sure sounds like a nice option for some passengers. But if it comes with forcing people to put their computers and information at risk, it gets problematic fast.