To Serve Users

My honourable friend Bradley Kuhn thinks Mozilla should serve its users by refusing to give them what they want.

[Clarificatory update: I wrote this post before I’d seen the official FSF position; the below was a musing on the actions of the area of our community to which Bradley ideologically belongs, not an attempt to imply he speaks for the FSF or wrote their opinion. Apologies if that was not clear. And I’m a big fan of (and member of) the FSF; the below criticisms were voiced by private mail at the time.]

One weakness I have seen in the FSF, in things like the PlayOgg and PDFReaders campaigns, is that they think that lecturing someone about what they should want rather than (or before) giving them what they do want is a winning strategy. Both of the websites for those campaigns started with large blocks of text so that the user couldn’t possibly avoid finding out exactly what the FSF position was in detail before actually getting their PDF reader or playback software. (Notably missing from the campaigns, incidentally, were any sense that the usability of the recommended software was at all a relevant factor.)

Bradley’s suggestion is that, instead of letting users watch the movies they want to watch, we should lecture them about how they shouldn’t want it – or should refuse to watch them until Hollywood changes its tune on DRM. I think this would have about as much success as PlayOgg and PDFReaders ( 821 results).

It’s certainly true that Mozilla has a different stance here. We have influence because we have market share, and so preserving and increasing that market share is an important goal – and one that’s difficult to attain. And we think our stance has worked rather well; over the years, the Mozilla project has been a force for good on the web that other organizations, for whatever reason, have not managed to be. But we aren’t invincible – we don’t win every time. We didn’t win on H.264, although the deal with Cisco to drive the cost of support to $0 everywhere at least allowed us to live to fight another day. And we haven’t, yet, managed to find a way to win on DRM. The question is: is software DRM on the desktop the issue we should die on a hill over? We don’t think so.

Bradley accuses us of selling out on our principles regarding preserving the open web. But making a DRM-free web is not within our power at the moment. Our choice is not between “DRM on the web” and “no DRM on the web”, it’s between “allow users to watch DRMed videos” and “prevent users from watching DRMed videos”. And we think the latter is a long-term losing strategy, not just for the fight on DRM (if Firefox didn’t exist, would our chances of a DRM-free web be greater?), but for all the other things Mozilla is working for. (BTW, Mitchell’s post does not call open source “merely an approach”, it calls it “Mozilla’s fundamental approach”. That’s a pretty big misrepresentation.)

Accusing someone of having no principles because they don’t always get their way when competing in markets where they are massively outweighed is unfair. Bradley would have us slide into irrelevance rather than allow users to continue to watch DRMed movies in Firefox. He’s welcome to recommend that course of action, but we aren’t going to take it.

73 thoughts on “To Serve Users

  1. Self-serving, scummy, self justification.

    You’ve given up the open web, just like W3C. Mark my words, this is merely the start – DRM on text *will* be next. How will you look at yourself in the mirror when you’re on that slippery slope ? Console yourself with ‘market share’ whilst you sell out your users ?

    The only honorable thing to do is quit such a dishonerable organization as Mozilla has now shown itself to be. Men of good conscience should not serve such a master.

    Perfidious FireFox.

  2. I don’t always agree with you, gerv, but I totally agree with you here :) . I too noticed the parallels with h264, and I think it’s an apt comparison.

  3. “The question is: is software DRM on the desktop the issue we should die on a hill over? We don’t think so.”
    Then the question becomes “is there ANY issue you should die on a hill over?”.
    I don’t think so.

    I think things works in the reverse. People don’t “want” anything, besides basic needs like a roof on their head, water, food and sleep. Anything else is a need that is “created” by marketing.

    So the point becomes:
    “Mozilla is not capable of having an effective marketing to create the need of an “open Web” (whatever Mozilla thinks the “open Web” is) while other players are capable of convincing people they need any sort of things, like replacing PCs with touch/mobile gadgets, replacing the Internet with “locked sub-networks”, “services” and “apps”.

    As result, the only thing Mozilla can do is to follow.
    Much like those fishes that follow big sharks and live out of their leftovers.

    It is not a sin or a crime. But it gives some limited meaning to Mozilla’s mission.

  4. I, ummm, don’t believe “sell out your users” is the phrase you’re looking for. More like “giving users what they want.”
    Yes, what those users want is a BAD THING, but… it’s what the majority of users seem to want, and no one ever stayed around long by refusing to give people what they want. Well, except Apple, but they have a much larger ad budget.

  5. I think the problem is that a lot of Free Software types really, *really* want Mozilla to be dedicated to Free Software, and manage to convince themselves that Mozilla are, when they’re really not, and are just using the Open Source model really effectively.

    At least, that’s why I used to get angry at Mozilla. I mean, I never got angry as Microsoft, or Apple, or Opera, or even Google, for writing a non-Free browser, because I never expected them to. But Mozilla, at times, you can kid yourself that they get Free Software. They, and Netscape before them, were “our side” against MS in the ’90s and early ’00s. Firefox was even multi-licensed under the GPL/LGPL until recently. And I’m sure I’ve seen Mozilla, or its agents/employees, talk enthusiastically about “freedom”. And, Firefox *is* a really kick-ass browser.

    So, if you’re a Free Software person, it’s easy and seductive to kid yourself that Mozilla are a Free Software organisation. To project that their philosophy is in line with the FSF’s “Four Freedoms”, or Debian’s DFSG.

    And then they do stuff like preventing distros from providing security backfixes to a product called “Firefox”, or preventing people from selling “Firefox”, or implementing DRM, and all us Free Software people who’ve projected our philosophy onto Mozilla because we thought they were “one of us” suddenly get a massive case of cognitive dissonance, and collectively lose our shit.

    Mozilla are not a Free Software organisation. They’re not interested in the philosophy of Free Software. They use Open Source as a development model (an they do so very well) and their actions sometimes align with those of the Free Software movement, but that’s more of a happy accident rather than by design.

    Note that this still makes them the most Free Software friendly of all big 4 browser makers, and they still do a lot of great work on the web, and Firefox is still a kick-ass browser. But they’re not about Free Software.

    Once I realised this, and saw Mozilla for what they were, rather than what I wanted them to be, I’ve calmed down a lot when they do this kind of thing. Again.

    Mozilla aren’t selling out their users, any more than Microsoft, Apple or Google are selling out their respective users, because Mozilla never pretended to try and deliver software that respects the user’s four freedoms (or whatever). They’re giving their users what they’ve always given them – the ability to access as much of “the web” as possible, no matter what form “the web” happens to take.

    And that’s fine. Firefox is not the browser for me, and I’m finally OK with that. I mean, it’s a shame, because it does kick ass, and I enjoyed using it in the past, but we’ve grown apart. It’s mostly me, I think. I’m pretty sure I’ve changed more than Mozilla has.

  6. Worth noting that PlayOff promotes VLC, which plays a whole host of formats that the FSF objects to. That’s rather significant collateral enablement.

  7. I understand the requirement for a Content Decryption Module, I’m not going to pretend that the requirement for it isn’t real in this time of Netflix. But why does it need to be a closed source CDM? That’s the issue I take with the current course of action. While the open source sandbox is indeed a step in the right direction, why are we opting to with an organisation that has been terrible for the open web and has a reputation of pushing closed source proprietary sub-par software.

  8. Because an Open Source DRM-system is impossible? If the source code is available, it’s trivial to circumvent it.

  9. I understand fully that Mozilla Foundation (MoFo) doesn’t hold the same principles that I do. If you read my blog post carefully, I specifically point out that adding proprietary software as a default feature of Firefox violates MoFo’s own principles (as stated in your Form 1023).

    I agree that none of us can change other people’s behavior. We can’t change the fact that users might be so addicted to the MPAA’s content that they will compromise any principle (ours or their own) just to get easy access to it. This is a disturbing fact; I have always been deeply troubled by what Jello Biafra once called the USAmerican principle of “Give me convenience or give me death!”

    MoFo and Mozilla Corporation (MoCo) can, however, control its own actions, and you decided, as you say, that giving users whatever they want — no matter what principle it violates — is paramount. That’s your prerogative to chose to violate your founding documents and go that route. But, I don’t think it’s fair to insinuate that MoFo has the moral high ground over the FSF.

    Indeed, I think your criticisms of the FSF are unfair above. First of all, you start your post criticizing my position, but I wasn’t speaking for the FSF and my blog was very clear (notwithstanding my membership in FSF’s Board of Directors) that I don’t speak for the FSF there. Thus, conflating my criticisms with the FSF’s seems like a rhetorical trick on your part.

    Notwithstanding that, in defense of the FSF, I’d note that has done a lot of important things for the freedom of users while still giving users a lot of software that they want. FSF has always been extremely clear that the path to universal software freedom requires giving the users software that the users really enjoy, and license that software in ways that respect the users’ freedoms. The FSF still does great work in that area, particuarly when you consider the FSF’s meager resources compared to those of a large company like MoCo.

    For me and the FSF, the problem with DRM has always been that there is no way to simultaneously implement DRM and give the users software freedom: the two concepts are fundamental at cross-purposes. I’m grateful that MoFo and MoCo held out the longest among many orgs (including the W3C itself, which I agree with you is the worst domino to fall here). However, please note that MoFo and MoCo will be criticized more harsly because MoFo and MoCo’s succumbing and kowtowing to the wishes of the MPAA (and furthermore lauding partnership with Adobe to do it!) feels more like a betrayal (and really is, when you note what MoFo’s Form 1023 says) than anyone else’s actions.

  10. I don’t think the choice is between it’s “allow users to watch DRMed videos” and “prevent users from watching DRMed videos”. The actual choice is between “allow users to watch DRMed videos in Firefox” and “force users to watch DRMed videos in another browser”. The truth is that browsers are significantly more fungible than the type of content that’s being encumbered by DRM, so refusing access to this content only serves as a way to drive away users.

    It is also true that as marketshare declines, the amount of leverage that a browser vendor has over content producers, and other browser vendors, also declines. If you believe that Mozilla is the most well-intentioned of the major vendors then presumably you want them to have as much influence as possible in order that they can push back on user-hostile requirements in the future. Embarking on a suicidal strategy just to maintain a principled position isn’t going to achieve that.

  11. If people don’t want anything besides food, water and shelter and the need for everything else is created by marketing, who wanted there to be marketing in the first place?

    And yes, Mozilla failed to create the need of an Open Web (or to educate users why the Open Web is in their own best interest). But so did you, me, the FSF, the EFF and everyone else who values the Open Web.

  12. Views on the open source/free software debate vary among Mozilla hackers. Some are pretty strongly on the free software side (e.g. are Debian developers), some are somewhere in the middle (my position is quite nuanced, and is here), and some are pretty pragmatic. This does lead to heated debate, particularly on questions like this. But I do think the one thing we agree on is that our leverage and power to do good today comes from our market share. Organizations like the FSF are happy to refuse all pressure to compromise; we think differently.

  13. @jgraham, I think you pointed out a fundamentally interesting issue here with the phrase “browser vendor”. Is MoCo a browser vendor, or does MoCo exist to serve the mission of MoFo as stated in their Form 1023? The mission says they will produce only “open source Internet applications”. DRM-enabling Firefox contradicts that.

    My original blog post pointed out this distinction: Baker compared MoCo to other “browser vendors” such as Google, Microsoft and Apple. As @Karellen notes above, we expect for-profit companies to sell out their users to the highest bidder: for-profit company’s mission is to make money for shareholders via any mechanism that is legally permissible. For-profit “browser vendors” are more-or-less mandated to mistreat their users, since DRM and proprietary software are legal. But, MoFo was supposed to be something more than a “browser vendor”: it was supposed to be a charity fighting for the public good on the Web.

    BTW, I’d have reacted differently if Baker had shared with the software freedom community how kowtowing on this point is part of a long-term strategy to end DRM and proprietary software on the Web. There is no such plan presented, rather, the defense I hear from MoFo and MoCo is: “we have to give the users what they are asking for,” no matter if it contradicts our own principles. That’s a message fitting with shareholder value, not the public good.

  14. It is good that this decision is remarkable. Cory Doctorow has an article in the Guardian about today about software freedom and DRM.

    Crucially, Mozilla has the moral high ground here among major browsers. “That’s it! I’m switching to Chrome because Firefox includes proprietary software and DRM!!!1” doesn’t work, because Chrome already includes EME and is itself proprietary. Ditto Safari. Ditto IE. Ditto WIndows, OS X, iOS and Android.

    This gives us — and the FSF, and supporters of Iceweasel and Gnome Web — a great opportunity to explain why Free or open source software is so important.

    A wise FSF would focus on Free software’s freedom as a selling point. There is *demand* for software freedom right now. Use it!

  15. *All* DRM is impossible. If you want a human to see or hear something, you’re going to have to make light and sound. Humans have cameras and microphones.

    DRM software doesn’t aim to *prevent* copying. It aims to make it awkward, to try to reduce the number of copyright infringers. It’s impossible to discern fair use using technology, so the awkwardness also harms normal non-copyright-infringing users.

    The important question is “to what extent?” — it’s like airport security.

  16. Firefox is already DRM-enabled. NPAPI enables Flash. Similarly, EME enables Adobe’s CDM.

    EME is not good. It is *less bad* than NPAPI.

    The CDM is less capable than an NPAPI plugin — it has no disk or network access. It can communicate only via open code. The closed code is very clearly separated from the rest of the system.

  17. That’s true, but nevertheless completely misses the point.
    Mozilla doesn’t want to implement DRM, they think they need to, because many users want to access content that can only be legally consumed through a DRM-system. And the owners/distributers (Hollywood, Netflix, etc) of such content decide, wether to accept a certain DRM-system or not. They will obviously accept a system that can only be circumvented with cameras and microphones (they currently do). But they probably won’t accept an open source system, that anyone could use to produce perfect digital copies.
    So if Mozilla decided to implement their own open source DRM-system, it still won’t be possible to watch “protected” content with Firefox. Such a system would be completely useless; that’s why I said, that open source DRM is impossible.

  18. tnx @Bradly for reminding me why anytime I hear about anything GNU or EFF I shut down my ears and automatically support the opposing view. DRM is major part of the web now and always been (sending user & password to get access to content are part of HTTP 1.0). If I want to share specific content with X people in a “secure” way then who the fuck are you to deny me this freedom?
    In away any standardization of DRM on the WEB will be better then the current state of affairs. To watch hulu I have to overcome their geo guessing (which is a DRM by itself) and have any show I watch reported to facebook (can’t use the site without facebook account). So if a standard DRM will make my life as a user easier and more private then the current situation then I am all for it.

    That being said, I agree mozilla forgot some time ago what is its true mission. The original mission was to produce a browser which will be better and more secure the IE6. Thankfully all browsers are now relatively secure, but it was some time since there was any visible effort to make firefox better to the user. I hate to break it to you Gerv, but the users care much more about the unwanted pop ups and pop under ads then DRM, but it is not a priority with mozilla, obviously less important for mozilla then some GUI change that no one asked for.

    But then mozilla now is a mobile OS manufacture and not just a browser developer so it is not surprising that its adopting technologies for the sake of its mobile partners that probably put money in the development is more important for mozilla then the masses that use FF without paying.

  19. Marketing was invented with the “industrial revolution”. It is a function of the availability of cheap goods for the masses. I don’t bother you with the whole history. In today’s world marketing is one of the tools the corporations use to control the masses. They use two other tools, the lobbies to make laws and the media industry to create role models. It is not wrong in itself, it becomes wrong when there isn’t anything to compensate, when people can’t be self-determined, mostly because they are grown to be just consumers.

    Speaking of Mozilla we have several issues:
    1. is Mozilla really alternative to the corporate world? Or is it just a variation of the same world?
    2. the recent “CEO scandal” has showed that Mozilla promotes some role model(s), problem is they are both the same as what is promoted by corporations and they aren’t related to the Web.
    3. Mozilla can’t do marketing, can’t do lobbying and can’t control the media industry. Then the question is “what Mozilla can do?”. In the past Mozilla succeeded in making a difference with community and evangelism. I was an evangelist myself. We are back to point 1, if Mozilla is just a variation of the corporate industry then past ways don’t apply any more.

  20. Username+Password-based authentication is not DRM.
    Geolocation based access restriction is not DRM.
    Reporting which show you watch to Facebook is not DRM.

  21. If marketing was invented, then there must have been someone, who wanted to have marketing (if it was accidental, you would say that “marketing was discovered”). Marketing is not a basic need like food, water, sleep or shelter. Therefore at least for one moment one person wanted something else besides basic needs.

    (Yes, this looks a lot like trolling. But I think your argument is fundamentally flawed and reductio ad absurdum is the best way to show this.)

  22. Above all the big and general issues I see this: one day you look around and see every body at Mozilla happily using mobile phones. In the same time you read somebody from Mozilla writing that Mozilla wants to save the Web against the “closed model” of the “apps”. But not only Mozilla comes last in the “mobile gadget arena”, everybody at Mozilla is a convinced adept/user of the “apps”. It is both swimming against the flow and a contradiction. Yes, FirefoxOS. But only for developing countries because nobody at Mozilla would use it. Lets bring “democracy” to them because we are all good already. :)

  23. Before marketing there was rhetoric and demagogy. But back the masses were good only as cannon fodder, nobody wanted to drain resources from them because they did not have any to spare.
    It was only when the average wealth increased enough that you could become rich by exploiting the fact that people are easily “educated” and “controlled”.

    You can easily trace back the first examples of advertisement in european countries and the first cases of lobbying and “education” with propaganda.

    When I think of “need” I think of the running shoes I bought. I needed them because my feet hurt. I don’t “need” a SUV to commute to/from my office because I don’t have to transport 3 surf boards to the beach and even so, the SUV don’t need a bull bar because there isn’t any wild big animal who can jump in front of it.

  24. That’s like saying open source encryption is impossible. Do you really think that by allowing uses to watch open source DRM content via video tags there’s likely to be a rise in webrips? Don’t be silly. There can and should be an open source CDM.

  25. “Because an Open Source DRM-system is impossible?”

    Yes, but that isn’t what Paul was asking.

    DRM cannot be Open Source because that would make the goal of DRM impossible, to control who can provide DRM.

    But Paul’s question was “why a close source Content Decryption Module”. Cryptographic software has been implemented in Open Source and even Free Sofware and such implementations are used even to protect diplomatic and military channels.

    A FOSS CDM would be able to ensure that only someone in possession of the correct key could decrypt the protected content.

    But DRM is not about the content or its protection, so the DRM facet of the whole EME thing can only be delivered by a closed source implementation.

    A FOSS implementation would allow any client on any platform to participate, to compete, and that would go against the essence of the interests of the parties involved

  26. And to add to that:
    there is no standard DRM nor any standardization of DRM on the Web

  27. With DRM you try to hide information from the end-user while simultaneously showing it to her (in a slightly different form). This is only possible, if there is some part of the computer that the user doesn’t control, i.e. that is at least closed-source. With encryption you try to hide information from a third party that only gets the encrypted data.

    It doesn’t matter what I think. It matters what the content-“owners” think, because they are the only ones who want DRM in the web. They think that it reduces “piracy” and they certainly won’t accept “open source DRM”.

  28. I’m not sure I get what you’re saying.
    Are you proposing that the EME-standard and CDMs are meant/useful for something besides DRM? I don’t think that’s true, but I would be interested to hear about other uses.
    But that’s not what this discussion is about. Even if you found a use for an open source CDM, Netflix&co wouldn’t allow such a system to decode their content. So this couldn’t help solving Mozilla’s problem.

  29. There are free NPAPI plug-ins of Java, LibreOffice, PackageKit, VLC, which are not exclusively for DRM. Replacing them with EME is not just making DRM safer (if that’s true), but also removing a tool with good uses (although I don’t know how many people use plugins for non-DRM purposes).

  30. Circumventing a closed-source DRM system is not impossible, but is more awkward than Ctrl+C, Ctrl+V. That reduces the number of consumers doing it, and this is why content providers are happy enough. But compiling source code is also non-trivial.

    Proprietary source code has been leaked before. The difference between open- and closed-source is *not* access to the code — it’s *legal* access to the code.

    Copying content without a licence is already illegal but not impossible. Copying decoding software without a licence is also illegal but not impossible.

    What do content providers gain by making the decoding software illegal to copy too? Another legal threat. Intimidation.

  31. A FOSS CDM wouldn’t be able to prevent the consumer from sharing their key with a friend. The consumer could alter the CDM’s code to remove any restrictions.

    Rights cannot be managed digitally — only legally.

  32. Why wouldn’t Netflix allow it? As Kevin said, open source encryption is used in the military, surely it’s part of Mozilla’s goal to correct the misconception that open source means less secure?

  33. That’s all true.

    EME is *no worse* than NPAPI. Both *can* be used for DRM.

    In practice EME is *only* used for DRM, but in principle it could be used in other ways.

    For example, imagine you have a thin client with little processing power or memory to decode HD video. The CDM is well separated, so it would be easy to make it run across the network on another computer.

  34. Surely that depends on the implementation? Granted they could recompile the open source module to print a key to a text file and thus allow easy key sharing, but in reality, most Firefox users never change a single option, what evidence is to suggest they’re all going to out and find a solution to key sharing? Also surely there needs to be an onus on the content delivery system to cut off streaming content going to multiple IP Addresses? The suggestion that the buck stops with Firefox is ridiculous.

  35. Yes! I only keep Flash for the BBC and… other things Gerv would probably prefer me not to mention.

    A few weeks ago I changed Flash to “Ask to Activate” (in Addons > Plugins) and the Web doesn’t really look any different.

  36. As was mentioned before, we’re talking about open source Content Decryption Module. We’re talking about a piece of software that receives content, authenticates a key and decrypts said content in real-time. I’m unsure why this needs to be done with smoke and mirrors.

  37. Because it’s not about the security of the cryptography itself, but about what happens to the data once it is decrypted:
    In a DRM scenario, your computer gets encrypted data, say from Netflix. Then the CDM decrypts this and sends the decrypted stream directly to the operating system, which shows it on the screen (roughly speaking; there might be other components involved). The point of this is to prevent you from getting the decrypted data, because you might upload it on a filesharing-site or do other things the content owner doesn’t want you to do.
    If the CDM (and certain parts of the operating system) are closed source, you have no possibility to access the decrypted data. But if the source of the CDM is available, it would be very simple to modify it to write the decrypted data to your hard-drive instead of sending it to the display.

    The point of DRM is to make your computer do things that you don’t want it to do (or to prevent it from doing things you want). But this is impossible if you have the source code and can change what it does.

    Open source DRM is an oxymoron.

  38. It doesn’t have to be all Firefox users; a small number would be sufficient. Also you probably wouldn’t share just your key and then all download the encrypted stream, but either share both the key and the encrypted file together, or directly share the decrypted file.

  39. Sure compiling is non-trivial (unfortunately), but most users probably wouldn’t have to compile the DRM-with-circumvention-patch themselves. I use Firefox since it was called Phoenix and have compiled it less than a dozen times myself.

    And sure, the code of proprietary software has been leaked, but where can I download the code of any of the current popular DRM systems?

    My point is: An open source DRM system could be circumvented by downloading a single file and putting it in the right directory. And this file would be so easy to produce, that preventing its widespread distribution would be impossible.
    This is so much weaker compared to current closed-source DRM, that I don’t see why content owners would accept such a system. Especially considering the hardly existing advantages it would give them.

  40. Pingback: Firefox, DRM e W3C EME una questione (tecnica) complicata - Mte90.Net

  41. Wow, I thought the poorly-conceived anti-power-user all-or-nothing GUI refresh was bad enough, but I think this is the first time since the Suite launched that I’ve seriously considered moving away from official Mozilla builds as a form of protest. It won’t be for any of the mainstream competitors either. You must understand that from an outsider’s perspective the last couple of years have been filled with negative compromises and depressing sudden public reveals on Mozilla’s part, and each incident slowly erodes the long-term user base’s ability to champion Firefox from a technical, interface, or political perspective.

    Smaller compatibility compromises are understandable — innerHTML, document.all — but this is a large-scale feature which carries with it significant long-term risk for open software platforms along with the potential for expansion into non-media domains. The same justification principles displayed here (“we won’t die on this hill”) can be bent into the right shape to justify supporting future pushes toward DRM images and textual content.

  42. While I agree that Mozilla needs to focus quite a bit on maintaining (and, hopefully, growing) the Firefox user base to remain relevant, I can’t help but feel that there are more significant ways to do so. E10s for UI responsiveness parity, better embedding to grow the ecosystem, all the sorts of things you (Gerv) have heard from me before and is probably tired of ;) Mozilla, like any other software organization, tends to focus their resources on the shiny (more DOM specs! another UI refresh!) over the… well, frankly, boring. (I hear that there might be people looking at Win64, again.)

    Preempting the response about people working on different things: Engineers aren’t fungible, but the funding to hire engineers is.

  43. I posted this on someone else blog, but I’ll double up here :) I feel like there’s an interesting blog post comparing companies that serve THEIR users vs. what Mozilla really tries to do by protect ALL users rights. This EME thing is a pretty good example.

    It seems obvious in retro-spect. Google fighting to make their users happy by providing Netflix, at the same time stepping on other users rights to actually own/watch content when and where they want. I see similar things in the second screen working group where Google really wants to make Chromecast work well for Chrome users, but has pushed back against developing a standard that works for other potential second screen devices/browsers.

    The fact that both these groups are described by the same name makes it hard to talk about that. When Mozilla says “We’re fighting for users”, it means a very different thing than when my Googler friend replies “We care about users too”. I wonder if we need different language to talk about this more clearly.

  44. You think that, of all open web fights, this is the easiest thing to push back on?

    We have been pushing back; look at the privacy features and sandboxing of our implementation. Other browsers don’t have that. But it turns out, pushing back so hard that the movie industry decides to give up on DRM entirely is not within our power.

  45. EME is about facilitating a key exchange between a local decryption module and a remote encryption module.

    Either module can be implemented in FOSS.

    What can not be implemented in FOSS is DRM behavior. That is not what Paul was asking but what you answered.

    I was just trying to clarify the misunderstanding

  46. I don’t think that that’s what Paul was asking. From his other posts, it seems he still thinks that open source DRM is possible.

    And apart from that: Which use-case does EME have besides DRM that can’t be fulfilled by existing standards? Encrypting data between the server and the client? Thats what TLS is for.

  47. Pingback: Boot Up: Mozilla v DRM (cont'd), Xiaomi's tablet, should you forget genocide?, and more | Digital News Daily CA

  48. Sepp dear fellow. I’m talking about an open source Content Decryption Module. Please cease and desist with your soapbox regarding open source DRM. My posts begin and end at the discussion of why the CDM needs to be closed source. Even if the CDM partner that Mozilla go with is Adobe, I’ll accept that as long as the CDM is open source. Even if it’s “open source” in the same way that Android is.

  49. That’s not a Firefox concern. That’s the concern of the CDM partner and the content creator. Mozilla’s job is to do the best by their users and leveraging said users to see an open source Content Decryption Module is the bare minimum.

  50. Thank you for clarifying. For whatever reason Sepp was ignoring what I was attempting to say and running with his own argument.

  51. The whole point of the CDM and the EME-standard and the reason why Mozilla is feeling compelled to implement it in Firefox is DRM. A CDM has no use other than DRM. If you accept, that open source DRM is not possible, then you have to accept that an open source CDM makes no sense.

    An open source CDM is a piece of software that does essentially nothing but waste memory and CPU time.

  52. I’m really sorry, but I simply don’t understand your position. What do you think the EME-standard is meant to do? And how could that goal be achieved using only open source software?

  53. Sure, but if Mozilla develops a product (a useless open source CDM) that no one will use, how does that benefit anyone? Users will still switch to other browsers because they can’t watch Netflix and Mozilla will have wasted a lot of developer-time.

  54. You don’t have to convince me that DRM is a bad idea (technically, economically, socially, …). But unfortunately that’s not how content owners see it.

  55. You wrote that we agreed in our form 1023 to: “keep the Internet a universal platform that is accessible by anyone from anywhere, using any computer, and … develop open-source Internet applications”. We are still developing open source applications (Firefox, as shipped, will still be open source), and we are still working towards the first part of the above goal too. The announcement we just made is not a step forward; I would characterise it as avoiding a long slow slide backwards.

    If we find ourselves unable, in a certain aspect, to “keep the Internet a universal platform” etc., what do we do? Give up and go home? How would that help? We could take a position that the above commitment actually means “make software that only accesses the bits of the Internet which are accessible by anyone from anywhere using any computer” and tell people to use other software if they want to access the other bits. But we decided that competition in the web browser market (a good thing, generally) is now so strong that there is significant risk to our ability to influence _anything_ if we took that route. A Mozilla with the power to change nothing is far less useful than a Mozilla with the power to change many things (but not DRM, yet).

    On the issue of DRM itself: part of Mozilla’s relative silence on this issue in recent months has been that we needed to negotiate a “good” (not as bad as it could be) CDM deal, and credibly be willing to walk away if we didn’t get one. (And I believe our negotiators would have done so.) Now we’ve done that, we should be able to do more and say more. For example, the Mozilla Foundation has already, I believe, agreed to work on Cory Doctorow’s second request (in his Guardian article) of designing a curriculum to educate people about the true problems of DRM.

  56. “The original mission was to produce a browser which will be better and more secure the IE6. ”

    Er… even if that was the mission, even if that was the reason so many people adopted and promoted Firefox, the addition of DRM compromises the security of the users. IE6 is perfectly secure as far as Microsoft is concerned because it protects Microsoft’s rights. It does not protect ours.

    DRM is a digital lock to which the owner (which means them, not you or me) controls the key. Apple controls Apple DRM. Microsoft controls Microsoft DRM. Adobe controls Adobe DRM. Disney owns Disney DRM. You may think you control your computer or your software or your media, but the presence of DRM means your only control is what control the true owner allows you.

    If you want to consider email passwords to be DRM, on your email account on a server you control — that is to say a mail server physically present in your home — your password is one element of *your* security, so you might consider DRM to be your own Digital Rights Management. In this instance, your password is your digital key, and you do control it.

    If, on the other hand, your email account sits on a Gmail server, while your password allows you to access the account, Google owns the master keys. Not only does your password not protect the email you write, send and receive from being read or copied by Google, Google’s master key (DRM) has the power to lock you out of the email account Google allows you to use.

    If someone besides me controls the keys to my home, they may feel it is secure but I certainly don’t. Privacy is considered to be a human right for a reason: it is a necessary component of personal security. DRM and closed source threaten our personal security.

  57. The problem isn’t the language, it’s that Google and Mozilla (like Microsoft and Apple) are corporate entities that exist to protect their own interests. The only reason to care about users or fight to make them happy if they must. Being “not evil” and “caring for” customers is part of the marketing needed to increase market share. But once a corporate entity becomes a monopoly, such policy becomes obsolete, and the user experience is rather like doing business with Darth Vader. When IE knocked off Netscape and Microsoft and became the defacto monopoly, there was so little incentive for improvement Microsoft couldn’t even be bothered to upgrade IE for years.

  58. I think the argument that “Mozilla needs to focus quite a bit on maintaining (and, hopefully, growing) the Firefox user base to remain relevant” is ridiculous.

    The reason Firefox became relevant was because it was adopted and promoted by users who cared about the security that comes with free software. If Mozilla’s idea of “relevance” is to make Firefox just like all the other non-free browsers, it’s simply time for people concerned about personal security and free software to migrate to IceWeasel and any other browser aspiring to protect our interests.

  59. @Gerv, what about auto-playing a DRM’d ad that’s anti-DRM that can’t be sped through at the beginning of all DRM content that Firefox plays?

    That would show users who like DRM how it can be used to annoy them, while educating users who don’t know what DRM is at the same time?

  60. Sorry to break it to you Laurel, but the actual reason why Firefox became relevant was because it was self-evidently better than Internet Explorer and it was free as in beer. That’s really all there is to it. The average person doesn’t care about freedom or privacy, as long as they can get what they want (hence, the wild popularity of things like Facebook and Twitter, or the fact that virtually all PCs are still running Windows). Heck, a bunch of Firefox users jumped ship to Chrome once it became a little bit faster then Firefox. gerv even acknowledged this in the comments on the LWN story.

    So without EME support Firefox then becomes “that browser that is slower than Chrome and can’t play Netflix.” Gee, I wonder what effects that would have on Firefox’s user share. And all this is without any tricks being played by other parties: imagine Google paying Netflix to declare Chrome the “officially endorsed browser of Netflix” and sticking a prominent “Download Chrome” icon on their site.

    The only reason Firefox has been able to exert as much leverage as it has on things like DRM and patents is because of the size of its userbase. If you want to advocate jumping ship to some “pro-freedom” browser no one’s heard of, you’re welcome to do that, but understand that in doing so you’re also advocating for essentially giving up any power over the future of the Web ecosystem, since no one but you and the other true believers will do it, while everyone else will switch to Chrome if they can’t do things like watch movies on Firefox. Then you can protest all you want about the next proposal out of the media conglomerates or proprietary software giants, and they will look at your .01% market share, giggle, and proceed with what they were doing.

  61. “Which use-case does EME have besides DRM that can’t be fulfilled by existing standards?”

    Well, according to the proponents of the specification its purpose is to allow browsers to be a mediator in the negotiation between a client and a server side crypto module.

    An addon to the transport security provided by SSL/TLS.

    Transport layer security only protects the data during its journey across the network, the data is available in clear text once it leaves the socket, so e.g. malicious JavaScript can access it.

    The CDM is a means to ensure that doesn’t happen, basically to make it possible for content to get out of the browser untampered.

    A bit like treating the browser as part of the transport chain, not as the end point.

    A FOSS CDM can provide that, just like a FOSS PGP plugin providing email crypto

  62. In that scenario, who exactly would be the attacker? It would have to be someone, who can inject malicious Javascript (you write this as an example, but I can’t think of any other attack vector) into the protected website, but has no further access to it (else he could directly obtain the data). So in this case, the CDM would protect against a server-side vulnerability using a client-side solution. I find that a quite strange proposal.

    In any case, none of this has anything to do with the present case. As I keep saying (and you and Paul keep ignoring), FOSS DRM is impossible, so a FOSS-CDM would be completely useless to solve Mozilla’s problem (the fear of losing users because of missing support of DRM).

  63. I don’t see why a client side running JavaScript would be a server side vulnerabilty but, yes, the CDM basically only protects against a browser compromised by non-native code.

    That’s the purpose of the CDM as stated by the EME specification.

    There is nothing that prevents a CDM to be implemented in FOSS.

    I won’t argue that it seems unnecessary to protect against malicious script code in such a way, but maybe the tremendous increase in script based extensions has made that necessary.
    Maybe it is just forward looking and the people involved envision lots of script based in-browser apps.

    The reason Paul and I have to keep repeating this is because you always bring up a different use case, DRM, and then wrongly arrive at the conclusion that if one use case cannot be done in FOSS, none can.

    But the original question Paul brought up was whether a FOSS based CDM would be possible, and the answer to that is and remains “yes”.

    Trying to answer a diferent, unasked, question, with “no” doesn’t change that either

  64. Pingback: NonSoloSoftware | MadBob

  65. > they think that lecturing someone about what they should want rather
    > than (or before) giving them what they do want is a winning strategy…
    > It’s certainly true that Mozilla has a different stance here.

    Really? Mozilla’s strategy is different?

    Mozilla doesn’t, you are saying, lecture people about what UI they
    “should” want, despite the fact that nobody wants it, then when the
    negative feedback from the community looms very large Mozilla
    does not claim that it’s only the default and the option to get the UI
    people want will remain, then about two versions later Mozilla does
    not take said option out of the preferences, and then a year or so
    later Mozilla does not surreptitiously disable even the about:config
    option so that there is now NO way to get a traditional browser UI
    any longer without installing a special third-party extension? We
    should NOT want a traditional browser UI. The message seems
    pretty clear to me. I am fairly certain said extension will cease to
    be available within another year or two.

    The thing is, I’m not even sure you’ll know which specific aspect
    of the UI I’m talking about (I do have a particular thing in mind),
    because Firefox has forced so many unwanted and completely
    pointless UI changes on the userbase in the last couple of years,
    I’ve lost count.

    I now use two main browser: Firefox, which has the
    UI that I want but lacks support for some important newer bits
    of CSS, and Seamonkey, which has the CSS support but is
    not *quite* right in the UI department (e.g., tabbing into text
    input fields does not select the contents, a major annoyance
    in some use cases).

    It is unlikely I will ever again use a recent version of Firefox.

  66. Pingback: DRM dans Firefox : quelle affaire ? » MozillaZine-fr

  67. Firefox -2- ?! Please, please tell me that you run it in a VM that you reset regularly!

  68. Pingback: Firefox, DRM and W3C EME: a complicated (technical) matter - Daniele Mte90 Scasciafratte

Leave a Reply

Your email address will not be published. Required fields are marked *