Extended media thoughts
The first weekend of this month, for me, was spent in sunny Santa Clara, attending the 2013 Mozilla Summit. Overall, it was a great weekend, getting to reconnect with old friends, make some new ones and see and talk about a lot of cool technology and plans for the future of Mozilla. Like most people (or so I suspect), I’m not normally a huge fan of company get-togethers, but Mozilla is different from normal in a lot of important ways. The Summit wasn’t just a gathering of Mozilla employees, for example; volunteers from all over the world were flown in to the Summit locations (it actually ran as three parallel events, in Brussels, Toronto and Santa Clara). And Mozilla isn’t your typical company. As a non-profit with a mission to serve the public good, Mozilla’s get-togethers feel much more like an open-source conference than a corporate to-do.
So that was awesome, and there were a few sessions which really got me thinking. A couple of them I’ll hold off writing about until a bit later, but one in particular stuck out because it covered a topic I’d already been spending some time on.
If you pay much attention at all to Web technology, or to tech in general, you’ve probably heard about something called “Encrypted Media Extensions”, often just shortened to EME. And you’ve probably heard it referred to as “DRM for HTML5”. Even at its current status of public draft (under heavy editing and development), it’s already incredibly controversial.
Since HTML5 is going to have the necessary technological bits to replace the use of proprietary plugins (primarily Flash and Silverlight) for video playback in the browser, it would be awfully nice to actually accomplish that; the current situation with those plugins is not great. But, obviously, entities which control the copyright to a lot of desirable video content feel nervous about just ditching the plugins — which have built-in DRM frameworks — and opening up that content. They want something to give them at least a semblance of copyright enforcement capability for Web-based video.
EME is that something.
Up-front, it’s worth pointing out there is a ton of misinformation floating around, and a lot of bad assumptions have been made based on that misinformation. Henri Sivonen has a nice breakdown of what EME actually is, and I’d recommend taking the time to read through it if you’re even the least bit interested in the topic. He has a tl;dr, but the whole thing is worth looking at. You can also read the EME draft and, since it’s version-controlled, easily track changes to it.
And a tl;dr of the tl;dr would be something like this:
EME, importantly, does not define exactly who ends up being responsible for throwing decrypted frames of video onto the screen. Past history indicates it’s unlikely to be the browser; probably it will be the CDM‘s job, either through compositing or some other mechanism which involves the operating system or the GPU or other hardware. It also does not define any of the things traditionally involved in DRM. There’s no mention of how to determine if playback is authorized, or to check for certified display hardware, or enforce geolocation restrictions, etc.
In other words, the DRM-y bits of DRM… aren’t in the EME spec. Presumably, they’re left to the CDM; EME itself is basically entirely about getting the CDM loaded and feeding it data. Then it’ll be up to the CDM to do the things we’ve come to understand as “DRM“.
The Summit session on EME was basically a large, open discussion about the ins and outs of the spec, and the possible consequences of it becoming standardized, and being implemented in browsers (including Firefox, in its various desktop, mobile and mobile-OS incarnations). The thing that struck me most about the session was how little Bible-thumping (for lack of a better phrase) took place. There were, of course, some folks in the room whose ideological stance is that DRM, or anything that looks like DRM, is always evil and must always be resisted to the last, but for the most part the session stayed off ideology and focused on the realities and consequences of EME.
A few interesting things which came up:
- CDMs will basically have to be sandboxed. This seems obvious once you think about it: copyright holders probably aren’t going to trust too much to the browser, since all the major browsers, save one, are built around open-source (and thus modifiable/hackable) engines. And browser vendors, having been bitten more than enough times by plugins with too much access, probably aren’t going to want to hand over that kind of access again.
- A corollary is that so far no-one’s brought up any sort of certification process for browsers (in other words, nothing which would tie CDMs to specific known browser builds which can be “trusted” not to leak or provide access to the decrypted content). Whether copyright holders would want that, we don’t know right now, though personally I’m not sure it’s possible to do: browsers are simply too fast-moving a target for such a thing, especially given the move toward rapid release cycles and reliance by browser vendors on users of beta/experimental/nightly build channels for QA.
- The EME draft is struggling with its security-considerations section. Even with the CDM sandboxed, it seems like it’ll be difficult/impossible to guarantee an end user of the browser won’t be able to get access to the decryption keys (which, if they’re coming in over the network, have to pass through the browser in some form to get to the CDM, or else have to be onboard, opening up problems comparable to what’s happened with physical media like DVD, where the media and hardware in the end user’s possession contain enough information to decrypt the content), and the in-progress security section seems to lean toward disclaiming any such guarantee.
And, of course, the big-picture focus. One concern — and it’s certainly a very real concern — is that the thing that’s nice about EME is also potentially bad. The nice thing, at least from a technical perspective, is the simplification and standardization; the size of the black-box binary blob is vastly reduced compared to the full stack of Flash or Silverlight, along with the responsibilities of that blob (which now become, basically, determining whether to decrypt, and then either firing an error or actually decrypting), and the EME spec itself is out in the open and free to implement. EME‘s also being explicitly designed to prevent the need for transcoding content multiple times for different playback frameworks, for example, and implementation compatibility takes a lot of burden off the shoulders of people who are distributing content over the Web.
But that is also a concern: if a standard, simple, easy-to-use implementation ends up in all the major browsers, then how long would it be just video using it? There are plenty of people who’d love to start placing restrictions on other types of content, if only there were a convenient technological way to do so. This is a somewhat ironic point to consider, since it opens up the possibility that bulky, fragmented, inconvenient, incompatible proprietary systems might be better — in the sense of preventing the spread of DRM — than a lightweight common standard coming from an open process.
Also relevant is the fact that opposition and resistance alone may not accomplish anything, which raises the question of whether the correct course is to offer an alternative which will obviate the desire for DRM. Several ideas for that were floated and discussed.
I don’t normally feel a need to do this, but given the topic and its contentiousness, let me just be absolutely clear on this: though I work for Mozilla, I don’t work on the browser, and my opinions are mine alone, and no-one else’s. What I say here is not representative of Mozilla-the-entity or its plans, only of my own personal thoughts.
I think just taking a stance of opposition is not going to be useful. The best possible outcome of that is maintaining the status quo, which is already known to be bad. The worst outcome is that one browser — likely Firefox — takes the ideological stand alone, and as a result gets shut out of YouTube, Hulu, Netflix, Amazon streaming, and every other Web-based video service. Which, at this point in history, is equivalent to saying “Firefox no longer has users”. And that’s a really bad situation; I think the market share of Firefox, so long as it’s a significant number, does a lot to keep other players relatively honest, and is not something that should be thrown away on a losing battle.
And make no mistake: this is almost certain to be a losing battle. The entities which hold copyright to a lot of popular content simply will not, right now, move away from Flash/Silverlight/etc. without something in place to make them feel safe in doing so. So EME, or something like it, will end up being standardized and implemented, at least for a while. The relevant entities (large, established movie and TV studios) simply don’t adapt fast enough for it to be any other way.
It seems to be an article of faith that DRM in general will, sooner or later, go the way of the dodo. It already has, effectively, with music, and the die-off seems to be starting with ebooks as well. Notably, in both cases, ideological opposition was not what brought this about; rather, it was market forces.
In the case of music, Apple deserves quite a bit of credit: their store, and its deep integration with Apple’s iTunes/iPod ecosystem (and later iPhone and iPad), took the first big step by offering a legal and convenient alternative to piracy: Apple’s store had the music, made the music easy to find and to get, and at what the majority of customers saw as a reasonable price. Which in turn catapulted Apple into the position of the 800lb gorilla in the music retail market, which in turn led labels to turn to Amazon to keep some leverage, which in turn led to DRM-free music (since going DRM-free was the only way Amazon’s music store could be compatible with the entrenched iTunes/iPod/etc. ecosystem, since Apple presumably wouldn’t provide access for a competitor to break Apple with Apple’s own DRM system).
In the case of ebooks, Amazon’s Kindle ecosystem has similarly taken the first big step, by making a large catalog available, easy to browse through and convenient to buy from, and at (again, in the eyes of the market at large) reasonable prices. But now Amazon is the 800lb gorilla in ebooks, and publishers and Apple just got smacked for antitrust violation in their attempt to bring in Apple as a differently-DRM‘d competitor. The only way out of Amazon’s massive market leverage is going to be a system that can work on all the devices Amazon’s Kindle ebooks work on, but which doesn’t require buy-in from Amazon in the form of licensing its DRM scheme. Which will effectively mean DRM-free ebooks.
So there does seem to be a repeating pattern here: first, a tech-native retailer emerges offering a large, easy-to-use catalog of titles at what’s perceived to be a fair price, reducing or removing the incentive for piracy (which, in the large, seems to be more about convenience and availability than anything else, with pricing being a distant second-place concern and opposition to copyright in general being the incentive for only an insignificant minority). Then that retailer grows so large, as a result, that the entities providing the content need to create competition in order not to get crushed on pricing by the big retailer’s leverage. Then they discover the only way to accomplish that is to drop DRM in order to get the interoperability that enables real competition.
But right now I don’t think anybody is even at the first step yet, with video content. I also don’t know whether this pattern can repeat for video. There are a couple ways in which video is different enough that I have some doubts.
First, long-term value, to customers/users, seems to run on a spectrum. When someone likes a song, they’ll listen to it again and again, and generally people won’t buy a track they plan to listen to only once. That’s the high end of the spectrum. Books are middle/low on the spectrum: a lot of purchased books will only get read once, but most people who read still have reasonably-sized libraries of titles they’ll want to keep and re-read multiple times. And video is probably the low end. The average person’s list of favorite movies and TV shows worth re-watching is, I suspect, shorter than the corresponding list of books worth re-reading, and far shorter than the list of music worth hearing again and again.
This creates pressure to either support both a “rent” and a “buy” option (which would naturally differ on price), which Apple has done with downloadable video content and Amazon is doing with streaming, or an “all you can eat” streaming subscription, which Netflix and Hulu are going with (and which Amazon also has as an option, for a subset of its catalog). Either way, the distributor has a financial incentive to make sure only someone who’s paid them can watch (and in the rent/buy system, there’s also an interest in making sure that someone who paid for “rent” has time-limited or number-of-viewings-limited access), which involves some sort of access control. I’m admittedly not considering advertising as a way to make money here, since there are legitimate doubts about the viability of ad-supported online services, but I suppose that’s an option which doesn’t require anything DRM-like (though there’d still need to be something ensuring advertisers get value for money, likely in the form of unskippable/unblockable ads).
Second, the online music market and the ebook market ended up the way they did because in each case, there was one early mover who got there first and got way ahead of everyone else. If anybody’s going to do that with video, right now it seems like it’ll be Netflix, but just in the purely Web-based niche they’ve already got real competition from Amazon and Hulu, who have sizable catalogs and convenient pricing and end-user interfaces. And that’s without considering that Apple does a pretty good business in non-streaming video, too.
If online video comes out of its infancy with multiple viable competitors rather than one dominant breakaway player, then the market pressures that drove music to go DRM-free, and are driving ebooks there, won’t exist for video, and we may be stuck with DRM at least for a longer time than with music and ebooks.
While I can certainly see and appreciate the slippery-slope argument — EME opens the door to making DRM easy on the Web, which leads to increased DRM and maybe even a return of DRM on things that have shed or are in the process of shedding it — and I’m wary of the possible “give an inch, they’ll take a mile” consequences of opening the door just to video, I’m also certain that just opposing it, without having some viable alternative, simply can’t work.
And while I understand and sympathize with the anti-DRM philosophical position, I also think controlled access to media can enable good services that wouldn’t otherwise exist, at least for now, due to fear of piracy. And I suspect it’s possible to implement that controlled access in a simple, standardized way that’s not philosophically repugnant. Apple is, I think, a good example of this: even when music from iTunes came with DRM attached, it came licensed under terms generous enough — no need to pay multiple times in order to listen on your computer, and on your iPod, and so on, ability to burn CD mixes, etc. — that it didn’t really interfere with how people wanted to enjoy the music they’d bought.
Note: I didn’t put “bought” in scare quotes there for a reason: it is certainly true that the disconnect between “buying” a physical piece of media like a CD or DVD and “buying” a sequence of bits is tricky. It’s certainly true that the possibility of a licensing server being shut down, or a title being retroactively yanked out of a catalog, is the best practical and end-user-visible argument against DRM. But I also think there’s a possibility for controlled-access schemes which ensure that people get paid but get around those problems; being able to burn “bought” music to a CD and play it back from the CD, or rip it off the CD again, is an example.
I think the big-picture way forward largely consists of services which will remove the perceived need (on the part of copyright holders) for DRM, and that it’s going to be very important for players in the video market to try for licensing terms similar to the ones Apple managed to get on music, and which proved, pretty conclusively, the ability of convenient and not-overly-restrictive systems to win out over piracy in the marketplace. The current situation with music, where content typically comes DRM-free but watermarked in ways which can help trace naïve copyright infringement, is really pretty good overall in terms of balancing the interests of all the involved parties.
In the meantime, I’m still not sure I can come to any conclusions specifically about the EME draft. My immediate reaction on hearing about it was to go read the draft, and my immediate reaction on reading the draft was that, compared to what it could have looked like, it’s not obviously horrid. Which is damning with faint praise, I know, but the fact it didn’t provoke immediate visceral anger when I understood it is actually quite an accomplishment. The practical reality is some form of access control on media — at least video — seems unavoidable in the near term, even if DRM-free is the long-term future. And a clear, open, freely implementable standard for that with the actual (presumably proprietary) access-controlling blob kept as minimal as possible seems preferable by far to the current landscape of heavyweight plugins, with their attendant security and interoperability issues. So from a technical perspective EME, at least at present, seems to be acceptable, though of course not something to be joyous about.
The hangup is the two questions left unanswered right now:
- What will the EME draft look like when it’s farther along in the process?
- What will be the long-term consequences of standardizing the capability to control access to media in the browser?
If I could know the answers to these were “mostly how it looks now, but with some more technical details filled in” and “mostly just that HTML5 video replaces Flash/Silverlight”, I think I’d support EME with few or no reservations, and advocate for big-picture maneuvers to reduce the demand for DRM. But right now I don’t and can’t know those answers, and so right now I just can’t form a useful, conclusive opinion. About the best I can say is that, for all the controversy — and in fact, because of the controversy — I’m glad EME is coming from a standards body which put it out in full public view where I can see it develop, watch how it changes and get some ideas about how this particular sausage is being made.