Wednesday, 29 May 2019

How DRM has permitted Google to have an "open source" browser that is still under its exclusive control

A year ago, Benjamin "Mako" Hill gave a groundbreaking lecture explaining how Big Tech companies had managed to monopolize all the benefits of free software licenses, using a combination of dirty tricks to ensure that the tools that were nominally owned by no one and licensed under free and open terms nevertheless remained under their control, so that the contributions that software developers made to "open" projects ended up benefiting big companies without big companies having to return the favor.

Mako was focused on the ways that "software as a service" subverted free/open software licenses, but just as pernicious is "digital rights management" (DRM), which is afforded a special kind of legal protection under Section 1201 of the Digital Millennium Copyright Act: under this rule, it's illegal to reverse-engineer and re-implement code that has some connection with restricting access to copyrighted works. That means that once a product or service has a skin of DRM around it, the company that controls that DRM also controls who can make an interoperable product.

That's where Google's web-dominating Chrome browser (and its nominally free/open cousin, Chromium) come in: these have become the defacto standard for web browsing, serving as the core for browsers like Microsoft Edge and Opera.

And while you can use or adapt Chromium to your heart's content, your new browser won't work with most internet video unless you license a proprietary DRM component called Widevine from Google. The API that connects to Widevine was standardized in 2017 by the World Wide Web Consortium, whose members narrowly voted down a proposal to change the membership rules for the W3C to require members not to abuse the DMCA to prevent DRM from becoming a tool to undermine competition.

Prior to 2017, all W3C standards were free for anyone to implement, allowing free/open browser developers to create their own rivals to the big companies' offerings. But now, a key W3C standard requires a proprietary component to be functional, and that component is under Google's control, and the company will not authorize free/open source developers to use that component.

This is literally exactly what the Electronic Frontier Foundation and other opponents of standardizing DRM at the W3C predicted would happen.

Wait for the next shoe to drop: DMCA 1201 is so badly drafted that it exposes security researchers to criminal and civil penalties if they reveal defects in DRM systems. Now that Widevine is becoming a common component of virtually every browser, any defects in Widevine could have disastrous consequences for billions of people -- and the W3C also refused to enshrine protection for security researchers who came forward with true disclosures about defects in DRM in its standard. Google is every bit as capable of making security errors as anyone else, and DRM is particularly risky because by its nature, it hides its operations from the owners of the computers it runs on, to prevent those owners from shutting it down or subverting it. When (not if) a critical vulnerability in Widevine is discovered, only bad guys will be able to use that discovery (to attack billions of people), while good guys will have to face major legal hurdles just to warn us all about what they've found.

“The browser is the thing which sees the most of you,’’ said Eben Moglen, an antitrust law professor at Columbia Law School who has studied browsers and their role in competition for decades. Chrome has become outright hostile to services that seek to cut down on advertising, like ad blockers, Moglen added.

Google’s Chrome Becomes Web ‘Gatekeeper’ and Rivals Complain [Gerrit De Vynck/Bloomberg]