Mozilla Throws in the Towel on DRM

I thought Mozilla releasing its version of Chrome was the most disappointing thing the company could do this year but I was wrong. Yesterday Mozilla announced that it decided to throw in the towel against digital rights management (DRM) technology being included in its browser:

Despite our dislike of DRM, we have come to believe Firefox needs to provide a mechanism for people to watch DRM-controlled content. We will do so in a way that protects the interests of individual users as much as possible, given what the rest of the industry has already put into place. We have selected Adobe to provide the key functionality. Adobe has been doing this in Flash for some time, and Adobe has been building the necessary relationships with the content owners. We believe that Adobe is uniquely able to bring new value to the setting.

Mozilla was the last holdout of the major browser providers to refuse to implement DRM technology. I understand why Mozilla is doing this. The company’s browser marketshare has been diminishing since Google released its Chrome browser. If major video providers start using Encrypted Media Extensions (EME), the new DRM technology that has been settled on, and Firefox is unable to display those videos it will further hurt its marketshare.

But by implementing DRM Mozilla has also abandoned its manifesto:

The Mozilla project is a global community of people who believe that openness, innovation, and opportunity are key to the continued health of the Internet.

[…]

The Mozilla project uses a community-based approach to create world-class open source software and to develop new types of collaborative activities.

[…]

2. The Internet is a global public resource that must remain open and accessible.

[…]

7. Free and open source software promotes the development of the Internet as a public resource.

[…]

build and enable open-source technologies and communities that support the Manifesto’s principles;

Since the beginning Mozilla has touted itself as an open source project meant to support an open Internet. But it cannot do so while implementing DRM technology. As its blog post states:

The industry is on the cusp of a new mechanism for deploying DRM. (Until now, browsers have enabled DRM indirectly via Adobe’s Flash and Microsoft’s Silverlight products.) The new version of DRM uses the acronyms “EME” and “CDM.” At Mozilla we think this new implementation contains the same deep flaws as the old system. It doesn’t strike the correct balance between protecting individual people and protecting digital content. The content providers require that a key part of the system be closed source, something that goes against Mozilla’s fundamental approach.

Emphasis mine. In order to implement the DRM technology Mozilla has to rely on a closed source binary provided by none other than Adobe (who, I might add, has a deplorable security record). This goes against its manifesto of working to keep the Internet open and providing a quality open source project.

However I will begrudgingly give Mozilla some credit. The DRM binary will be sandboxed, optional, and not installed by default:

Firefox does not load this module directly. Instead, we wrap it into an open-source sandbox. In our implementation, the CDM will have no access to the user’s hard drive or the network. Instead, the sandbox will provide the CDM only with communication mechanism with Firefox for receiving encrypted data and for displaying the results.

Traditionally, to implement node-locking DRM systems collect identifiable information about the user’s device and will refuse to play back the content if the content or the CDM are moved to a different device.

By contrast, in Firefox the sandbox prohibits the CDM from fingerprinting the user’s device. Instead, the CDM asks the sandbox to supply a per-device unique identifier. This sandbox-generated unique identifier allows the CDM to bind content to a single device as the content industry insists on, but it does so without revealing additional information about the user or the user’s device. In addition, we vary this unique identifier per site (each site is presented a different device identifier) to make it more difficult to track users across sites with this identifier.

As plugins today, the CDM itself will be distributed by Adobe and will not be included in Firefox. The browser will download the CDM from Adobe and activate it based on user consent.

As I said earlier I understand why Mozilla is doing this. I don’t like it but at least the Mozilla development team is being as smart about this implementation as possible. This way people like me who trust Adobe as much as a kleptomaniac can simply not install this crap.

What really worries me about this is that it sends a message to the media production industry and that message is that they can now demand DRM be made an integral part of the web and have their demands met. Make no mistake this is just the beginning of a snowball that will continue to grow in size. The DRM may be primarily geared towards video today but it will expand to include images and eventually text. Before you know it the web will be turned into a wasteland where content providers attempt to tightly control said content.

The only upside is that DRM technology always loses against the hacker community. But due to the Digital Millennium Copyright Act (DMCA) bypassing DRM technology now carriers legal risks, at least in the United States. That means taking what steps are necessary to maintain an open web will be a criminal act. Some very bright people will likely end up in a cage for doing the right thing (not that that’s uncommon, especially here in the United States).