paul@xxxxxxxxx: > I just received a message from the Free Software Foundation > advising me that Mozilla has climbed in bed with Adobe > Corporation and will implement digital rights management, > DRM, in FireFox. Until now they had not supported DRM. > They claim to take this act to preserve market share, but it > would not surprise me if money changed hands as an > additional encouragement. > > TOR is not about DRM, but if TOR continues to use FireFox as > the basis for its browser, then the nose of the DRM camel > will appear under the wall of the tent. Some of us have > assiduously avoided DRM, and TOR was one way to do so. Will > it continue to be? > > The source code for FireFox is available free and so the DRM > code could be striped out before making it the TOR browser. > doing so, however, will require additional effort; is TOR > prepared to take on this task? I hope that it goes without saying that any changes that Mozilla makes to allow or include additional third party closed-source/binary components will be rejected by us, due to the inability to audit these components for Tor safety, privacy, or general security. There is a long history of such components completely ignoring the Tor threat model in their design and implementation, even if by some miracle they end up being securely sandboxed for normal usage. It would be foolish of us to assume that this DRM mechanism would be any different. Moreover, simply removing the DRM will be trivial, and it will be high on our list of tasks for any rebase effort onto the Firefox release to support it. I'm not too worried about the technical details of that. What does worry me is that based on Mozilla's blog post on the topic, it seems at best their implementation will still provide websites with a per-device unique identifier: https://hacks.mozilla.org/2014/05/reconciling-mozillas-mission-and-w3c-eme/ Due to the ubiquity of deployment of this scheme, it is likely that this identifier will soon be abused by all sorts of entities, likely starting with banking and government sectors, and quickly moving on to the advertising industry (why not play a short device-linked DRM video with your banner ad? You get a persistent, device-specific tracking identifier as part of the deal!). I think it is also quite likely that many arbitrary sites will actually deny access to users who do not provide them with such a device-id, if only due to ease of increased revenue generation from a fully identified userbase. I hope that when this happens, we will begin to see FOSS re-implementations of this identifier mechanism, if not the CDM itself. Hopefully we won't be fighting this aspect of the battle by ourselves. It will be a way more costly battle to fight than simply removing the DRM. It seems that neither Mozilla nor Google have fully thought through the social effects of giving a unique device-id to arbitrary websites. Or worse, they simply do not care. That is indeed deeply troubling. -- Mike Perry
Attachment:
signature.asc
Description: Digital signature
-- tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk