When designing Phoenix, one of the toughest decisions I had to make was in regards to DRM content. I went back and forth on this constantly - but I ultimately came to my senses & made the decision not to support DRM content.
I’d like to explain my reasoning as to why, as well as provide my general thoughts on DRM as a whole.
What is DRM?
Image by Shankar Raman under Public Domain
DRM, as Mozilla so elegantly puts it, is “technology that enables online video and audio services to enforce that the content they provide is used in accordance with their requirements”. It stands for “Digital Rights Management” - but it’s also more accurately referred to as Digital Restrictions Management.
DRM, on a fundamental level, is all about control. It restricts what you can and can’t do in your browser. This concept is antithetical to the very definition of the User agent - software acting on behalf of a user.
But how exactly does DRM “enforce the content provided is used in accordance with their requirements”?
How it works
DRM generally works by encrypting the media you’re trying to watch, to prevent you from modifying the content. But of course, you can’t actually watch the content unless its decrypted on your device! So how does DRM get around this? They attempt to obfuscate the key, & “hide” it from access.
Let’s be clear: DRM only ‘works’ because it’s hidden from the user. There’s no actual underlying technology here. Security through obscurity does not work. It never has, and it never will.
Piracy, Piracy, Piracy
The entire, & sole justification of DRM is to “prevent piracy”. Spoiler alert: DRM does not prevent piracy in any way. In fact, as I will explain below, it actually promotes piracy.
If I, myself, want to go pirate media - Well, I’m not going to be doing it by paying for a Netflix account…
If I want to save & distribute media from streaming services to others, DRM also doesn’t stop me.
Remember how DRM only works because it tries to hide itself from the user? There’s your problem. You’re trying to hide these keys on a device that the user owns. The keys will be found & exposed. It’s not a matter of if, it’s a matter of when. Like I stated above, there is no actual technology at play here. Here’s an infamous example of keys like this being leaked. DRM will always be broken, there’s no question about it. Software breaking DRM is even widely available for download…
It’s even easier than that though. What if… I simply record my display? It’s literally that simple to bypass.
So then, what does DRM actually do?
DRM only harms users
There is no use case of DRM that benefits users. It does not prevent piracy in any meaningful way, as explained above. All DRM does is hurt legitimate paying users.
Let me give you an example.
A family member who frequently travels recently came to me with frustration over how Amazon Prime Video handles downloads.
You see - if you attempt to download content from any of these streaming services on your mobile device - it ’expires’ after a certain time period. ‘Expires’ isn’t an accurate term for it though despite how companies portray it. This isn’t a gallon of milk, it doesn’t just magically go bad. The content is physically on your device. The streaming service simply decides “meh, you can’t play it anymore, sowwy :(”.
So what we have here is a situation where my family member, who is a legitimate paying customer of Amazon Prime, & who travels constantly - meaning they may or may not have a network connection at any given time, is unable to consume content from a service they pay for.
Are you starting to see the problem here? There is no instance of copyright infringement being prevented in this instance, it is only hurting a paying customer. In fact, all I see here is a promotion for piracy. Why deal with these random arbitrary restrictions from streaming services, when you can just download the file for free, with the ability to access it forever, whenever, & however you want? You’re quite literally paying for a worse experience.
Less accessible, more dangerous
Accessibility is another important issue DRM creates. I’ll quote an excellent example of this from the EFF:
“It’s not a copyright infringement to feed a Netflix video to an algorithm that can warn you about upcoming strobe effects that can trigger life-threatening seizures in people with photosensitive epilepsy.”.
And this is only one such example. What if someone has some kind of trauma or PTSD, and wants to avoid their triggers? What about those that have hearing & visual impairments?
Should we just exclude them from consuming content, and I can’t stress this enough, from services they pay for?
At best, we’re excluding millions of people from being able to access & enjoy the content they want to watch & have legitimate access to. At worst, we’re risking serious injury, or even death.
But c’mon, we gotta stop those evil pirates!!, right??? :/
Don’t worry - it gets worse.
Security, Privacy - Who needs em?
As I’ve explained above: DRM only works by hiding itself. This means that the code is proprietary, closed source. For something that was touted as an open standard by the W3C - I do sense some irony.
This means that the code can not be easily audited for privacy & security issues.
Furthermore, it’s important to understand that it is also illegal to circumvent DRM in most countries around the world, thanks to legislation like the DMCA - even if there was no copyright infringement.
The companies refused.
Does it get any clearer?
DRM has nothing to do with ‘stopping the evil pirates!’. It’s undeniably about control, censorship, & hurting competition.
We now have proprietary code in billions of browsers worldwide… code that is illegal to even audit for security vulnerabilities or privacy issues in most jurisdictions, designed to restrict what you can & can’t do on the web.
Imagine buying a new car. It drives nice for a while - but after some time & use, you begin to notice some issues. You decide you want to open the hood & see what’s going on, maybe even try to fix it yourself or see if you can take it to your nice local mechanic. Sure, you could just put off looking at it - But you don’t want to risk getting in an accident or worse. You try to open the hood… & congratulations, you’re now a criminal! It’s illegal to look at your car under the hood… after all, we have to stop those evil thieves!!!
This might sound far-fetched - but this is exactly the world DRM technology is creating.
The real motiveâ˘
~12 years ago, anyone, no matter who they were, could create a web browser following the W3C’s open web standards. Any user of any browser could access the content they wanted to access, how they wanted to access it.
Something I haven’t got to touch on yet with DRM is that a fundamental part of how it works involves what’s known as Content Decryption Modules. You might remember how I said above that DRM works through encrypting the content, & then decrypting said content on your device with their ‘secret’ keys?
The CDM part is what actually decrypts these keys.
Something very cool about DRM is that it allows the streaming services & other companies to design what CDMs they want to use, & from whom - not the users.
Google’s CDM, Widevine, is one of the most widely used - though some other companies, like Microsoft, also offer their own solutions.
This means that in order to have the ability to play any DRM content, period, even in spite of the issues I’ve already pointed out - you have to get Google, Microsoft, or some other company’s blessing.
Remember what I said above, how anyone, anywhere in the world, could create a web browser following open standards, & could access whatever content they desired?
Due to DRM, this is no longer possible.
DRM & Phoenix
Back in May 2014, Mozilla caved in. Despite ideologically (& rightfully) opposing DRM, they made the unfortunate situation to add it to Firefox, helping lead to the wide adoption of the technology.
So, what position does this put projects like Phoenix in?
We could either take the high road & deal with users complaining about ‘Why doesn’t (insert random garbage proprietary streaming service here) work???’, or we could cave in like Mozilla, in the interest of self preservation & attracting the most users?
Well, the answer was clear.
Phoenix’s goal is to put the user back in user agent. We will always put users first, & will only support features that benefit them. As I have detailed above, DRM not only doesn’t benefit users; it actively harms them.
Therefore, Phoenix does not & will never support DRM technology.
In a Flash
Remember this guy?
Probably been a minute since you’ve seen that logo.
Yet, for ~20 years, this icon was synonymous with the internet. I remember my naive self installing it whenever I’d set up a new PC so I could play the latest flash games, & hoping I didn’t forget to uncheck ‘McAfee’ or whatever other adware Adobe’s installer chose to include on any given day…
Yeah, those were dark times.
Fun fact: Apparently Flash is actually still being developed for use in China… by Samsung? They even made a new logo matching the design of Adobe’s other products…
Back on topic…
Flash was awful. It has nearly all of the issues of this newer DRM technology, except worse in a lot of ways. It too acted as a form of DRM. It gave Adobe far too much control over the web, was riddled with security issues, & proved to be a nightmare to deal with.
So how was Flash defeated?
Simple: Apple refused to support it on the iPhone.
Sure, we have nowhere near the userbase & power Apple had to make a change. But I believe that every little bit counts.
I would like to encourage any other browser developers or those who maintain projects similar to Phoenix to follow in our footsteps by also disabling/removing DRM support.
Yes, you may receive some complaints, & yes: uninformed users may turn away from your project. But to put it simply: Not supporting DRM is the right thing to do for not only the web, but the world as a whole. For better or worse, the internet is only becoming more & more of an integral part of our lives, not less. We must protect it, rather than giving in to the demands of billion dollar mega-corps looking out for their best interests.
I’ve chosen to play the long game: I will not support technology that is designed to directly harm users. Yes, Phoenix strives to avoid breakage, & yes, it’s unfortunate that some websites may have issues or complain due to the lack of DRM. But I’m willing to make that trade-off for the greater good.
If this turns you away from Phoenix, so be it. I’m sorry that this project isn’t for you.
What we learned today
To sum everything up:
- DRM has nothing to do with piracy; In fact, DRM actually promotes piracy.
- DRM’s only use case is to harm users & restrict what content they can consume & how they can consume it on the web.
- DRM directly harms users with medical conditions & disabilities.
- DRM technology is not only proprietary, but it is illegal to audit for privacy & security issues in most jurisdictions around the world.
- DRM is anti-competitive: it prevents anyone anywhere from creating a browser meeting open standards, & it allows companies like Microsoft & Google, as well as media companies, to act as gatekeepers over what content one can and can not access.
- Other browser developers & similar projects to ours are in agreement that DRM is problematic. They simply implement it because they see it as a ’necessary’ evil. Phoenix doesn’t.
- Phoenix is not missing out on any functionality: Video playback over HTML5 works perfectly fine.
Additional Reading
DRM’s Dead Canary: How We Just Lost the Web, What We Learned from It, and What We Need to Do Next - Cory Doctorow