This week, the influential voice of Unesco joined the chorus of people objecting to the addition of DRM to the HTML5 standard. Both of our winning comments on the insightful side are anonymous, came in response to an accusation of hypocrisy, in which a commenter compared the EME DRM scheme to HTTPS encryption for websites. The first-place winning response covered the key differences in purpose and function:
Anonymous Coward: 0
Just like other websites, streaming media should use transport-level encryption. This prevents access to the data stream between points A and B.
DRM is not encryption really: it is gatekeeping by obfuscation. This is due to the fact that the data being sent has to be decrypted locally. The goal of EME is to move this decryption of content as close to the hardware as possible, to prevent the person viewing the decrypted content from… viewing the decrypted content.
As such, DRM rarely functions as desired. One person sits something outside the EME, grabs the decrypted stream, and then shares this stream with others, circumventing the encryption. Others who have a legitimate access to the encrypted stream find that they can’t consume it as they see fit, can’t likewise encrypt their own streams without assigning copyright to someone else, and have access to information that is being intentionally sent to them arbitrarily restricted, not necessarily always in a legal manner, or a manner supported by fair use.
The second-place winning response also touched on the differences in implementation:
Encryption protects the data, but does not limit what the user can do with the data. DRM limits what the user can do with the data to viewing or listening it only via defines programs and codecs.
Also there are signidficant implementation differences. Encryption is based on key exchange, and the user can use open source software for implementation. The proposed DRM mechanism is a way of downloading and execution proprietary closed source code which demands low level access to the likes pf the video and audio system, to try and bypass any use of the operating system to capture the decoded data. This also introduces a new route for malware to be install;ed on te system.
So let’s put that argument to bed, shall we? For editor’s choice on the insightful side, we head to our story about the FBI arresting the creator of a remote access tool, where one commenter noted that plenty of large companies produce similar tools and go unhassled, specifically wondering when they’d go after Dameware. Roger Strong wasn’t holding his breath:
Remote Desktop products from Symantec’s PCAnywhere and TeamViewer have long been used for similar crimes. The company that acquired Dameware is worth at least $4.5 billion.
To answer your question, “never.” They have the resources to defend themselves. This guy doesn’t.
Next, we head to our deep dive into the reasons that the Copyright Office should remain under the Library of Congress, where one commenter declared this a bad idea on the basis that the latter is a “failed institution” — an idea with which James Paul Burkhardt took exception:
I question your premise. The Library of congress is not a “failed” instiution. And, in fact, the current Librarian of Congress is a good way to fix the private industry revolving door. By hiring an actual Librarian with proven history modernizing Libraries, the stage has been set for a more functional Library of Congress. And, very quickly, the librarian, understanding the needs of the copyright office, found the industry insider unsuitable to the task.
Retaining the copyright office as an arm of the Library of congress makes sense. The ‘fix’ is to put actual librarians in charge of the library, like we put actual judges on the supreme court. This would allow the Librarian of congress to choose heads of the copyright office that maximize the synergies of the two departments, and improve the whole process.
Over on the funny side, we’ve got a very context-dependent winner in first place, so we’re going to twist the format a bit. Instead of two funny editor’s choices, we’ve got a bonus insightful editor’s choice followed by one for funny, and they’re both coming before the first place winner… so they can set up the context of the thread. It starts on our post about the discovery that facial recognition on the new Galaxy S8 can be easily fooled with a photo. One commenter turned to the other fact that such recognition can work with an unconscious person as reason not to trust its security, leading OldMugwump to offer the universal advice that it depends what the threat is:
As with all things security, it depends on how much security you need, the consequences of failure, and who your opponent is.
There are lots of things for which minimal security is fine – when a breach involves minor consequences you can easily live with.
For other things you need more security. If your phone can transfer away your life savings, for example.
And if your opponent is the NSA you need stronger security than if it’s the nosy guy in the next cube at work.
Nobody should expect a single level of security to be right for everyone, or for everything.
Stronger security has costs that you don’t want to pay for trivial gains.
That’s when things took a turn for the comedic, with an anonymous reply taking the hypothetical scenarios further:
Unless the nosy guy in the next cubicle works for the NSA. But then, if he works for the NSA, he’s probably working *in* the NSA’s buildings, which means that you’re working in the NSA’s buildings, which means that *you* also work for the NSA, which means that you must have the strongest possible encryption against your own access.
Ok, that’s done it. My head’s exploded.
That level of security is a bit excessive don’t you think?
And that just leaves us with our second place winner on the funny side: Roger Strong with some dystopian musings on the future of armed police drones:
Relax. With ever-increasing battery energy density, soon the drones can be launched from a central location rather than by hand from a nearby squad car. No local human assistance required.
That means they can be controlled by outsourced labor in another country. Heck, people sitting in California have been tele-killing people via drones in Afghanistan and Yemen for years!
Outsourced drone pilots will be far cheaper than police officers, there’ll be no police union, and they’re easy to replace with another anonymous hire if they screw up. It makes deflecting the blame in a wrongful death a lot easier too.
They might even locate the drone “call centers” in Afghanistan, Pakistan and Yemen to provide jobs as part of the rebuilding process. Abundant cheap labor; folks who have already been taught the concepts and potential of drone operations.
The outsourced drone cops won’t be normal citizens *or* government employees. Equality problem solved.
Hope This Helps!
That’s all for this week, folks!