[DaveMebs]

But if the DRM solution is implemented through JS code in the browser, it is trivial to pirate. I know DRM is always broken, etc., but at the same time it is hard to take an argument at face value that discounts the security differences between these approaches.

JS is trivial for anyone moderately skilled to crack - you're sending content in the clear from the browser through the stack.

DRM solutions enabled by EME can be much more robust and difficult to crack.

Similar to other commentators, I struggle with the issue, but just saying "put it in JS" is not a very compelling argument. The current EME approach of a publically defined API that any DRM solution can plug into feels like a pretty reasonable compromise here.

[Daiz]

>it is trivial to pirate.

As long as it isn't trivial for the casual user, I wouldn't call it much of an issue. As I said, dedicated pirates will find a way regardless, even if comes down to screen capturing. That's how people are pirating Netflix content at the moment. Of course, this does lead to some level of quality loss, since you're doing a lossy re-encode of a lossy source.

On that note, if we consider "wannabe pirates must re-encode the video to share it around" as a decent video content protection goal, then you can definitely do that with HTML5 video and some JS without resorting to any kind of EME trickery.

Anyway, at the end of the day, it is definitely true that JS content protection schemes will be inherently weaker compared to black box DRM plugin solutions enabled by EME. But why on Earth should we compromise the very nature of Open Web to enable this rather than make Big Media compromise on their platform control addiction to have their content on the Open Web? And if they're unwilling to do that, then well, they can stick to their Flash and Silverlight all they want in my opinion. EME doesn't make any promises about cross-platform compatibility anyway, so better stick with the two devils we know than switch to a system comprised of several unknown demons.

[dasil003]

JS DRM is not DRM, full stop. The entire point is the black box. Without that you are always one greasemonkey script away from having a full-stream ripper for the casual user.

Yes, there is always the analog loophole, so ultimately all DRM is a best effort, but any JS implementation is at best 1% of current DRM implementations, it is no better than clear key encryption regardless of what obfuscation you put around it.

I really don't understand the point of the hand-wringing over EME. Before EME the only option for DRM was full-blown plugins, EME is much better for the open web than the dictatorship of Flash or Silverlight. As far as I can tell, technical activists are hoping to somehow put pressure on big content by refusing EME, but having spent the last 8 years building a streaming company, I can tell the EFF and everyone else that their advocacy has exactly zero weight with any content rightsholders. Big content will never capitulate to the abstract desires of the free software crowd because they hold the nuts. You either play ball with their demands or you don't get the content. Yes piracy will never go away, but it's illegal, so they will just continue playing whackamole for anything that approaches a good UX and pushing their DRM agenda on the rest of the industry.

Opposing EME is just a pointless skirmish over an implementation detail which overall is a huge net win for open web standards. Being absolutist about it just means everyone is going to have some shitty plugin, and they will have some shitty plugin because people want the studio content.

And as stupid and pointless as DRM is in the grand scheme of things, there is no principle I can think of that forbid people from building it. The Right Thing™ is that studios should be free to build DRM, and people should be free to hack it, there shouldn't be legal protections on either side. But for the free software community to refuse to make any integration points with DRM is just cutting off ones nose to spite ones face.