Archive for the ‘DRM’ Category

W3C’s EME/DRM: Standardizing Abuse and Evasion

Wednesday, September 20th, 2017

Among the bizarre arguments in favor of Encrypted Media Extensions (EME), this one stuck with me:

Standardizing an API for Abuse of Users.

The argument runs something like this:

DRM is already present on the Web using plugins for browsers, each with a different API. EME, standardizing a public API, enables smaller browsers to compete in offering DRM. Not to mention avoiding security nightmares like Flash.

As a standards geek, I often argue the advantages of standardization. Claiming standardizing an API for abuse of users as beneficial, strikes me as odd.

Conceptually DRM systems don’t have to infringe on the rights of users to fair use, first sale, modification for accessibility, but I don’t have an example of one from a commercial content provider that doesn’t. Do you?

Moreover, confessed corporate behavior, false bank accounts (Wells Fargo), forged mortgage documents (Ally (formerly known as GMAC), Bank of America, Citi, JPMorgan Chase, Wells Fargo), etc., leave all but the most naive certain user rights will be abused via the EME API.

A use of the EME API that does not violate user rights would be a man bites dog story. Sing out in the unlikely event you encounter such a case.

(I got to this point and my post ran away from me.)

Is there an upside to ending the crazy quilt of DRM plugins and putting encrypted media delivery directly into browsers for users?

With EME as the single interface for delivery of encrypted web content, what else must be true?

Ah, there is a single point of failure for encrypted web content, meaning if the security of EME is broken, then it is broken for all encrypted web content.

There’s a pleasant thought. Over-reaching to gut user’s rights, the DRM crowd created a standardized, single point of failure. A single breach spells disaster on a large scale.

Looking forward to the back-biting and blame allocation sure to follow the failure of this plan to rain greed over the world. (Wasn’t some company named ContentGuard (sp?) involved in an earlier one?)

Not happy with a standardized API for abusing users but having a single API is like the Windows market share. Breach one and you have breached them all. I take some consolation from that fact.

An Honest Soul At The W3C? EME/DRM Secret Ballot

Tuesday, September 19th, 2017

Billions of current and future web users have been assaulted and robbed in what Jeff Jaffe (W3C CEO) calls a “respectful debate.” Reflections on the EME Debate.

Odd sense of “respectful debate.”

A robber demands all of your money and clothes, promises to rent you clothes to get home, but won’t tell you how to make your own clothes. You are now and forever a captive of the robber. (That’s a lay persons summary but accurate account of what the EME crowd wanted and got.)

Representatives for potential victims, the EFF and others, pointed out the problems with EME at length, over years of debate. The response of the robbers: “We want what we want.

Consistently, for years, the simple minded response of EME advocates continued to be: “We want what we want.

If you think I’m being unkind to the EME advocates, consider the language of the Disposition of Comments for Encrypted Media Extensions and Director’s decision itself:


Given that there was strong support to initially charter this work (without any mention of a covenant) and continued support to successfully provide a specification that meets the technical requirements that were presented, the Director did not feel it appropriate that the request for a covenant from a minority of Members should block the work the Working Group did to develop the specification that they were chartered to develop. Accordingly the Director overruled these objections.

The EME lacks a covenant protecting researchers and others from anti-circumvention laws, enabling continued research on security and other aspects of EME implementations.

That covenant was not in the original charter, the director’s “(without any mention of a covenant),” aka, “We want what we want.

There wasn’t ever any “respectful debate,” but rather EME supporters repeating over and over again, “We want what we want.

A position which prevailed, which bring me to the subject of this post. A vote, a secret vote was conducted by the W3C seeking support for the Director’s cowardly and self-interested support for EME, the result of which as been reported as:


Though some have disagreed with W3C’s decision to take EME to recommendation, the W3C determined that the hundreds of millions of users who want to watch videos on the Web, some of which have copyright protection requirements from their creators, should be able to do so safely and in a Web-friendly way. In a vote by Members of the W3C ending mid September, 108 supported the Director’s decision to advance EME to W3C Recommendation that was appealed mid-July through the appeal process, while 57 opposed it and 20 abstained. Read about reflections on the EME debate, in a Blog post by W3C CEO Jeff Jaffe.

(W3C Publishes Encrypted Media Extensions (EME) as a W3C Recommendation)

One hundred and eight members took up the cry of “We want what we want.” rob billions of current and future web users. The only open question being who?

To answer that question, the identity of these robbers, I posted this note to Jeff Jaffe:

Jeff,

I read:

***

In a vote by Members of the W3C ending mid September, 108 supported the Director’s decision to advance EME to W3C Recommendation that was appealed mid-July through the appeal process, while 57 opposed it and 20 abstained.

***

at: https://www.w3.org/2017/09/pressrelease-eme-recommendation.html.en

But I can’t seem to find a link to the vote details, that is a list of members and their vote/abstention.

Can you point me to that link?

Thanks!

Hope you are having a great week!

Patrick

It didn’t take long for Jeff to respond:

On 9/19/2017 9:38 AM, Patrick Durusau wrote:
> Jeff,
>
> I read:
>
> ***
>
> In a vote by Members of the W3C ending mid September, 108 supported the
> Director’s decision to advance EME to W3C Recommendation that was
> appealed mid-July through the appeal process, while 57 opposed it and 20
> abstained.
>
> ***
>
> at: https://www.w3.org/2017/09/pressrelease-eme-recommendation.html.en
>
> But I can’t seem to find a link to the vote details, that is a list of
> members and their vote/abstention.
>
> Can you point me to that link?

It is long-standing process not to release individual vote details publicly.

I wonder about a “long-standing process” for the only vote on an appeal in W3C history but there you have it, the list of robbers isn’t public. No need to search the W3C website for it.

If there is an honest person at the W3C, a person who stands with the billions of victims of this blatant robbery, then we will see a leak of the EME vote.

If there is no leak of the EME vote, that is a self-comment on the staff of the W3C.

Yes?

PS: Kudos to the EFF and others for delaying EME this long but the outcome was never seriously in question. Especially in organizations where continued membership and funding are more important than the rights of individuals.

EME can only be defeated by action in the trenches as it were, depriving its advocates of any perceived benefit and imposing ever higher costs upon them.

You do have your marker pens and sticky tape ready. Yes?

Upsides of W3C’s Embrace of DRM

Monday, September 18th, 2017

World Wide Web Consortium abandons consensus, standardizes DRM with 58.4% support, EFF resigns by Cory Doctorow.

From the post:

In July, the Director of the World Wide Web Consortium overruled dozens of members’ objections to publishing a DRM standard without a compromise to protect accessibility, security research, archiving, and competition.

EFF appealed the decision, the first-ever appeal in W3C history, which concluded last week with a deeply divided membership. 58.4% of the group voted to go on with publication, and the W3C did so today, an unprecedented move in a body that has always operated on consensus and compromise. In their public statements about the standard, the W3C executive repeatedly said that they didn’t think the DRM advocates would be willing to compromise, and in the absence of such willingness, the exec have given them everything they demanded.

This is a bad day for the W3C: it’s the day it publishes a standard designed to control, rather than empower, web users. That standard that was explicitly published without any protections — even the most minimal compromise was rejected without discussion, an intransigence that the W3C leadership tacitly approved. It’s the day that the W3C changed its process to reward stonewalling over compromise, provided those doing the stonewalling are the biggest corporations in the consortium.

EFF no longer believes that the W3C process is suited to defending the open web. We have resigned from the Consortium, effective today. Below is our resignation letter:

In his haste to outline all the negatives, all of which are true, about the W3C DRM decision, Cory forgets to mention there are several upsides to this decision.

1. W3C Chooses IP Owners Over Web Consumers

The DRM decision reveals the W3C as a shill for corporate IP owners. Rumors have it that commercial interests were ready to leave the W3C for the DRM work, rumors made credible by Tim Berners-Lee’s race to the head of the DRM parade.

We are fortunate the Stasi faded from history before the W3C arrived, lest we have Tim Berners-Lee leading a march for worldwide surveillance on the web.

The only value being advanced by the Director (Tim Berners-Lee) is the relevance of the W3C for the web. Consumers aren’t just expendable, but irrelevant. Best you know than now rather than later.

2. DRM Creates “unauditable attack-surface” (for vendors too)

Cory lists the “unauditable attack surface” for browsers like it was a bad thing. That’s true for consumers, but who else is that true for?

Oh, yes, IP owners who plan on profiting from DRM. Their DRM efforts will be easy to circumvent, the digital equivalent of a erasable marker no doubt and offer the advantage of access to their systems.

Take the recent Equifax breach as an example. What is the one mission critical requirement for Equifax customers?

Easy and reliable access. You could have any number of enhanced authentication schemes for access to Equifax, but that conflicts with the mission-critical need for customers to have ready access to its data.

Content vendors dumb enough to invest in W3C DRM, which will be easy to circumvent, have a similar mission critical requirement. Easy and reliable approval. Quite often as the result of a purchase at any number of web locations.

So we have N vendors sites, selling N products, for N IP owners, to N users, using N browsers, from N countries, err, can you say: “DRM opens truck sized security holes?”

I feel sorry for web consumers but not for any vendor that enriches DRM vendors (the only people who make money off of DRM).

DRM Promotes Piracy and Disrespect for IP

Without copyright and DRM, there would be few opportunities for digital piracy and little disrespect for intellectual property (IP). People can and do photocopy individual journal articles, violating the author’s and possibly the journal’s IP, but who cares? Fewer than twenty (20) people are likely to read it ever.

Widespread and browser-based DRM will be found on the most popular content, creating incentives for large numbers of users to engage in digital piracy. The more often they use pirated content, the less respect they will have for the laws that create the crime.

To paraphrase Princess Leia speaking to Governor Tarkin:

The more the DRM crowd tightens its grip, the more content that will slip through their fingers.

The W3C/Tim Berners-Lee handed IP owners the death star, but the similarity for DRM doesn’t stop there. No indeed.

Conclusion

Flying its true colors, the W3C/Tim Berners-Lee should be abandoned en masse by corporate sponsors and individuals alike. The scales have dropped from web users eyes and it’s clear they are commodities in the eyes of the W3C. Victims if you prefer that term.

The laughable thought of effective DRM will create cybersecurity consequences for both web users and the cretins behind DRM. I don’t see any difficulty in choosing who should suffer the consequences of DRM-based cybersecurity breeches. Do you?

I am untroubled by the loss of respect for IP. That’s not surprising since I advocate only attribution and sale for commercial gain as IP rights. There’s no point in pursuing people who are spending their money to distribute your product for free. It’s cost free advertising.

As Cory points out, the DRM crowd was offered several unmerited compromises and rejected those.

Having made their choice, let’s make sure none of them escape the W3C/DRM death star.

Do You Feel Chilled? W3C and DRM

Monday, February 13th, 2017

Indefensible: the W3C says companies should get to decide when and how security researchers reveal defects in browsers by Cory Doctorow.

From the post:

The World Wide Web Consortium has just signaled its intention to deliberately create legal jeopardy for security researchers who reveal defects in its members’ products, unless the security researchers get the approval of its members prior to revealing the embarrassing mistakes those members have made in creating their products. It’s a move that will put literally billions of people at risk as researchers are chilled from investigating and publishing on browsers that follow W3C standards.

It is indefensible.

I enjoy Cory’s postings and fiction but I had to read this one more than once to capture the nature of Cory’s complaint.

As I understand it the argument runs something like this:

1. The W3C is creating a “…standardized DRM system for video on the World Wide Web….”

2. Participants in the W3C process must “…surrender the right to invoke their patents in lawsuits as a condition of participating in the W3C process….” (The keyword here is participants. No non-participant waives their patent rights as a result of W3C policy.)

3. The W3C isn’t requiring waiver of DCMA 1201 rights as a condition for participating in the video DRM work.

All true but I don’t see Cory gets to the conclusion:

…deliberately create legal jeopardy for security researchers who reveal defects in its members’ products, unless the security researchers get the approval of its members prior to revealing the embarrassing mistakes those members have made in creating their products.

Whether the W3C requires participants in the DRM system for video to waive DCMA 1201 rights or not, the W3C process has no impact on non-participants in that process.

Secondly, security researchers are in jeopardy if and only if they incriminate themselves when publishing defects in DRM products. As security researchers, they are capable of anonymously publishing any security defects they find.

Third, legal liability flows from statutory law and not the presence or absence of consensual agreement among a group of vendors. Private agreements can only protect you from those agreeing.

I don’t support DRM and never have. Personally I think it is a scam and tax on content creators. It’s unfortunate that fear that someone, somewhere might not be paying full rate, is enough for content creators to tax themselves with DRM schemes and software. None of which is free.

Rather than arguing about W3C policy, why not point to the years of wasted effort and expense by content creators on DRM? With no measurable return. That’s a plain ROI question.

DRM software vendors know the pot of gold content creators are chasing is at the end of an ever receding rainbow. In fact, they’re counting on it.

Speaking of Wasted Money on DRM / WWW EME Minus 2 Billion Devices

Friday, June 24th, 2016

Just earlier today I was scribbling about wasting money on DRM saying:


I feel sorry for content owners. Their greed makes them easy prey for people selling patented DRM medicine for the delivery of their content. In the long run it only hurts themselves (the DRM tax) and users. In fact, the only people making money off of DRM are the people who deliver content.

This evening I ran across: Chrome Bug Makes It Easy to Download Movies From Netflix and Amazon Prime by Michael Nunez.

Nunez points out an exploit in the open source Chrome browser enables users to save movies from Netflix and Amazon Prime.

Even once a patch appears, others can compile the code without the patch, to continue downloading, illegally, movies from Netflix and Amazon Prime.

Even more amusing:


Widevine is currently used in more than 2 billion devices worldwide and is the same digital rights management technology used in Firefox and Opera browsers. Safari and Internet Explorer, however, use different DRM technology.

Widevine plus properly configured device = broken DRM.

When Sony and others calculate their ROI from DRM, be sure to subtract 2 billion+ devices that probably won’t honor the no-record DRM setting.

Pride Goeth Before A Fall – DMCA & Security Researchers

Friday, June 24th, 2016

Cory Doctorow has written extensively on the problems with present plans to incorporate DRM in HTML5:

W3C DRM working group chairman vetoes work on protecting security researchers and competition – June 18, 2016.

An Open Letter to Members of the W3C Advisory Committee – May 12, 2016.

Save Firefox: The W3C’s plan for worldwide DRM would have killed Mozilla before it could start – May 11, 2016.

Interoperability and the W3C: Defending the Future from the Present – March 29, 2016.

among others.

In general I agree with Cory’s reasoning but I don’t see:

…Once DRM is part of a full implementation of HTML5, there’s a real risk to security researchers who discover defects in browsers and want to warn users about them…. (from Cory’s latest post)

Do you remember the Sony “copy-proof” CDs? Sony “copy-proof” CDs cracked with a marker pen Then, just as now, Sony is about to hand over bushels of cash to the content delivery crowd.

When security researchers discover flaws in the browser DRM, what prevents them from advising users?

Cory says the anti-circumvention provisions of the DMCA prevent security researchers from discovering and disclosing such flaws.

That’s no doubt true, if you want to commit a crime (violate the DMCA) and publish evidence of that crime with your name attached to it on the WWW.

Isn’t that a case of pride goeth before a fall?

If I want to alert other users to security defects in their browsers, possibly equivalent to the marker pen for Sony CDs, I post that to the WWW anonymously.

Or publish code to make that defect apparent to even a casual user.

What I should not do is put my name on either a circumvention bug report or code to demonstrate it. Yes?

That doesn’t answer Cory’s points about impairing innovation, etc. but once Sony realizes it has been had, again, by the content delivery crowd, what’s the point of more self-inflicted damage?

I feel sorry for content owners. Their greed makes them easy prey for people selling patented DRM medicine for the delivery of their content. In the long run it only hurts themselves (the DRM tax) and users. In fact, the only people making money off of DRM are the people who deliver content.

Should DRM appear as proposed in HTML5, any suggestions for a “marker pen” logo to be used by hackers of a Content Decryption Module?

PS: Another approach to opposing DRM would be to inform shareholders of Sony and other content owners they are about to be raped by content delivery systems.

PPS: In private email Cory advised me to consider the AACS encryption key controversy, where public posting of an encryption key was challenged with take down requests. However, in the long run, such efforts only spread the key more widely, not the effect intended by those attempted to limit its spread.

And there is the Dark Web, ahem, where it is my understanding that non-legal content and other material can be found.

Flashback: Breaking Coffee DRM in 2014

Friday, December 11th, 2015

Cory Doctorow tweeted a post from 2014: Defeat Keurig’s K-Cup DRM with a single piece of tape.

It’s difficult to imagine a more environmentally unfriendly coffee maker than those by Keurig.

For every cup of coffee it brews, it adds to landfill waste. Yeah, for every cup, the environment is incrementally diminished. Not by much for any one cup but imagine the thousands of cups per day that pour (sorry) from Keurig machines.

Normally I enjoy stories of breaking DRM efforts but in this particular case, it only encourages more environmentally unfriendly companies to spring up manufacturing the same wasteful products as Keurig.

The best way to deal with a Keurig machine is to superglue or weld the damned thing shut. That will decrease the demand for more outlets selling environmentally unfriendly forms of coffee. Well, not just one machine, there needs to be an epidemic of people sealing off their own machines.

Working from home I do quite well with a late 1950’s/mid-1960’s drip pot that requires only hot water and coffee. Nothing disposable except for coffee grounds and they go in the compost heap. Well, and the coffee bag that goes into recycling.

Make 2016 the year when the conspicuous consumption and waste of Keurig coffee machines ends.

PS: A common pot of coffee also saves time by narrowing the range of choices: the coffee is hot and black or the pot is empty. Fewer choices, quicker turn around at the coffee machine. 😉

Defeating DRM in HTML5

Saturday, May 11th, 2013

You may heard that the W3C is giving the WWW label to DRM-based content vendors in HTML5: W3C presses ahead with DRM interface in HTML5

From the post:

On Friday, the World Wide Web Consortium (W3C) published the first public draft of Encrypted Media Extensions (EME). EME enables content providers to integrate digital rights management (DRM) interfaces into HTML5-based media players. Encrypted Media Extensions is being developed jointly by Google, Microsoft and online streaming-service Netflix. No actual encryption algorithm is part of the draft; that element is designed to be contained in a CDM (Content Decryption Module) that works with EME to decode the content. CDMs may be plugins or built into browsers.

The publication of the new draft is a blow for critics of the extensions, led by the Free Software Foundation (FSF). Under the slogan, “We don’t want the Hollyweb”, FSF’s anti-DRM campaign Defective by Design has started a petition against the “disastrous proposal”, though FSF and allied organisations have so far only succeeded in mobilising half of their target of 50,000 supporters.

I could understand this better if the W3C was getting paid by the DRM-based content vendors for the WWW label. Giving it away to commercial profiteers seems like poor business judgement.

On the order of the U.S. government developing the public internet and then giving it away as it became commercially viable. As one of the involuntary investors in the U.S. government, I would have liked a better return on that investment.

There is one fairly easy way to defeat DRM in HTML5.

Don’t use it. Don’t view/purchase products that use it, don’t produce products or services that use it.

The people who produce and sell DRM-based products will find other ways to occupy themselves should DRM-based products fail.

Unlike the FSF, they are not producing products for obscure motives. They are looking to make a profit. No profit, no DRM-vendors.

You may say that “other people” will purchase those products and services, encouraging DRM vendors. They very well may but that’s their choice.

It is unconvincing to argue for a universe of free choice when some people get to choose on behalf of others, like the public.

DRM/WWW, Wealth/Salvation: Theological Parallels

Thursday, March 14th, 2013

Cory Doctorow misses a teaching moment in his: What I wish Tim Berners-Lee understood about DRM.

Cory says:

Whenever Berners-Lee tells the story of the Web’s inception, he stresses that he was able to invent the Web without getting any permission. He uses this as a parable to explain the importance of an open and neutral Internet.

The “…without getting any permission” was a principle for Tim Berners-Lee when he was inventing the Web.

A principle then, not now.

Evidence? The fundamentals of RDF have been mired in the same model for fourteen (14) years. Impeding the evolution of the “Semantic” Web. Whatever its merits.

Another example? HTML5 violates prior definitions of URL in order to widen the reach of HTML5. (URL Homonym Problem: A Topic Map Solution)

Same “principle” as DRM support, expanding the label of “WWW” beyond what early supporters would recognize as the WWW.

HTML5 rewriting of URL and DRM support are membership building exercises.

The teaching moment comes from early Christian history.

You may (or may not) recall the parable of the rich young ruler (Matthew 19:16-30), where a rich young man asks Jesus what he must do to be saved?

Jesus replies:

One thing you still lack. Sell all that you have and distribute to the poor, and you will have treasure in heaven; and come, follow me.

And for the first hundred or more years of Christianity, so far as can be known, that rule, divesting yourself of property was followed.

Until, Clement of Alexandria. Clement took the position that indeed the rich could retain their goods, so long as they used it charitably. (Now there’s a loophole!)

Created two paths to salvation, one for anyone foolish enough to take the Bible at its word and another for anyone would wanted to call themselves Christians, without any inconvenience or discomfort.

Following Clement of Alexandria, Tim Berners-Lee is creating two paths to the WWW.

One for people who are foolish enough to innovate and share information, the innovation model of the WWW that Cory speaks so highly of.

Another path for people (DRM crowd) who neither spin nor toil but who want to burden everyone who does.

Membership as a principle isn’t surprising considering how TBL sees himself in the mirror:

TBL as WWW Pope