Why I used to love DRM-free streaming

This is kind of a follow-up to my previous blog post about the history of DRM, which I wrote here.

What I want to talk about in this blog post is which video-on-demand providers decided to not use these mechanisms for their content.

The basic gist of what I wrote there was that copyright holders of popular media wanted a means to protect their content when distributed to consumers digitally, video on demand providers wanted technical solutions to provide such means of protection and make a feasible business model out of it and tech companies wanted to solve these issues in various ways.

Long story short, they all had their dreams come true via the development of three concurrent technologies for protecting digital media: Apple's FairPlay, Microsoft's PlayReady and, last but not least, Google's Widevine.

These three pieces of technology is nowadays used to protect, behind the scenes, all video media that's copyright protected but which also reaches your screen.

They are the foundational building blocks that enforce copyright in a mostly transparent way.

Now, let's talk about enforcement, as not all video on demand providers use these technologies in equal capacity.

Technically, to enable the usage of these technologies in an agnostic way, the W3C introduced a new web standard called the Encrypted Media Extensions (which introduced the requirement for web browsers to include some form of proprietary decryption components, even browsers that had been traditionally open source).

By the standardization of this technology, all web platforms had a common and stable API to call from their client-side Javascript to interact with the underlying FairPlay/PlayReady/Widevine protection facilities in order to initiate and maintain a secure channel to transfer copyrighted video content through the internet.

Since this particular standardization back in September 2017, it was pretty clear that video on demand services had a stable future ahead of them.

Netflix, which had already been proven to have a successful business model by that point and was already an extremely popular platform even back then, was reaching revenues that were quite impressive.

Many other video on demand platforms were already quite well established, by this point, which was already a good indicator that this EME tech being standardized was pretty much inevitable.

However, there were those people that had issue with this: the free software crowd.

Free software, as a social movement, was always about promoting open source and the ability to contribute and share your changes with the world at large, as much as possible.

The free software crowd never liked the idea of forcing proprietary components into web browsers in order to keep them compliant, as that would go against the very principle of what they argue the open web should be.

But, as I said in my previous blog post, the open source dilemma was a huge one and, realistically, there is no way to write a web browser that's fully open source but which also is supposed to allow for hiding of digital data that's copyright protected and very valuable.

To do so entails that anyone that has some experience with the programming language that this web browser is implemented in can very well take the source code as it is, change it to bypass the security measures that are implemented in the vanilla browser, re-write the pipelines that the protected data are supposed to go through and change them so that you reconstruct a video file from the stream instead, dump said file on your desktop and then, “voila!”, just like that, you have an unofficial fork of that browser that can steal the video contents from Netflix and dump them in mp4 files on your desktop and then share that file with the world at large.

Nobody wants that.

And so, even though this decision displeased the free software crowd by a lot (so much so that, the same day the EME tech was officially standardized, the Electronic Frontier Foundation published an open letter of resignation from the W3C), the W3C made the difficult decision to standardize this technology anyways in order to prevent third party media plugins (e.g. Adobe Flash or Microsoft Silverlight) from re-emerging into the scene as necessities to use Netflix or other video-on-demand providers.

Web browsers that were historically open source but still wishing to remain fully web standards complying (such as Mozilla's Firefox) ended up with having to devise clever workarounds to provide the needed functionality to their userbase. Mozilla, for example, figured out a way to do this by simply piggybacking on Google Chrome's existent proprietary Widevine CDM solution and simply utilizing this as a plug-in to their, otherwise open source, web browser. And, to still keep their free software promoting user base happy and not have them cry foul and yelling that Mozilla is “polluting” a free software browser with proprietary nastiness, they added a checkbox in their browser's settings that allows the end user to decide whether to enable the Widevine plug-in or disable it completely. Disabling it would mean, obviously, that video on demand providers would have no way to create a secure communication channel with the Content Decryption Module on the end user's device (since there is no CDM to talk about at all) and, thus, there would be no way to secure the video content, which means that sites like Netflix would simply refuse to let you stream from them, even if you were a paying customer.

Obviously, this meant that most people that still use Firefox kept that checkbox enabled, so that Widevine would remain as an installed plug-in and be constantly enabled. After all, who doesn't want to watch Disney+ TV shows on their computer?

Well, maybe this won't surprise very many people, but I am a hard-boiled free software advocate myself and I've always been very adamant about the web needing to be as open and devoid of proprietary technologies, as possible.

Given my very puritan stance on this matter, it should come as no surprise, dear reader, that I was among the very few Firefox users that kept said checkbox unchecked, and so I had no Widevine CDM to speak of installed on my Linux system.

This meant, effectively, that video on demand providers like Netflix, Disney+, Amazon Prime Video and so on would detect the lack of a proper CDM in my browser and, obviously, they would refuse to stream any content to me, because there was a very real risk that I would then copy said video and allow others to pirate it from me.

Needless to say, I was a bit unhappy with the current state of affairs. Still, I wasn't willing to compromise, and I genuinely believed, deep down, that video-on-demand as a business model was doomed to fail and that it was the root of all evil, as it was causing the advent of more proprietary solutions that were parasitizing a pure and virgin web.

In my quest to find video on demand on the web to consume but which did not require me to enable the proprietary CDM in my browser, I ended up with three video on demand platforms that I had to choose from: Crunchyroll, HIDIVE and Wakanim.

Before you say anything, no, I wasn't specifically choosing anime services to watch; it just so happened that these were the only services that did not require me to have Widevine enabled.

All the others (Netflix, Amazon Prime Video, HBO Max etc) automatically detected my lack of a CDM and would give me errors when trying to play any stream on their platforms whatsoever.

Those three were the only services that I could use (although, with Wakanim, even this might not have been the case, as I couldn't even reach the point where I could play media on it).

Wakanim

Wakanim is the outlier because I simply couldn't use it at all. For whatever reason, whenever I tried to use their website, the website presented itself in Russian to me.

I've encountered situations like these when a website tries to auto-detect my location based on my IP and then decides to auto-translate their entire page to whatever language it thinks I speak as a means of convenience.

The only issue is, I'm not Russian, nor do I know or speak Russian whatsoever. I've been born, raised, and am currently living in Romania. So the website auto-translating itself to Russian was quite a hindrance to me.

Normally, a rationally designed web platform would still offer the end-user the possibility of correcting these types of errors by giving them a language selection menu to select a different language from the current one. But no, of course it wouldn't be that easy. Apparently the programmers that worked for Wakanim decided that their platform was too perfect to need such a fallback and that such bugs could never happen on their polished little website (spoiler alert: it happened, to me at least).

So, with Wakanim, at least, I really can't say whether it would or not allow for playing protected media without a CDM installed. From what I read online, supposedly, you can actually download the video series that you purchase from their platform, in an unencrypted format, so you can then play that media on any player of your choice, offline.

If that were true, I would have been mighty impressed and a big fan of. It would mean that there's really no point in employing a CDM and encrypting the data stream if you're just gonna gift-wrap the protected content to your customers anyway.

I guess we'll never know now, since they've been discontinued since November 2023.

HIDIVE

Oh, good ol' HIDIVE. It's very funny to think that the entire reason why I initially chose to become one of their customers is because I could use their platform without needing to install proprietary components in my browser to watch their videos.

My relationship with them was a short lived one, as any of those that follow my anime blog already know (specifically, the blog which can be found here).

If you don't know, long story short, I made a subscription to them back in early 2022, watched a couple of their shows that were pretty fun (like Tokyo Mew Mew New, The Executioner and Her Way of Life, Endo and Kobayashi Live! The Latest on Tsundere Villainess Lieselotte and many, many more) but eventually, at some point during April or May 2023 I think, they suddenly and abrutly stopped servicing Romanian customers on their platform. You can read more about that over here.

Eventually I decided to mask my location using a VPN to appear as if I was from a different country so that I could still stream from them but, when the time eventually came to renew my yearly subscription towards them, I decided to cancel and never look back.

In the end, I liked the fact that they don't force a proprietary CDM down your throat in order to stream videos from them. And if you're also anti-proprietary DRM and want to support video-on-demand platforms that don't require them too, then you might like them.

Personally I cannot, in good conscience and with my self respect intact, continue to financially support a service that discriminates against me simply for being from Romania, so I choose not to continue giving them money (I know that it's not a personal matter and that they just made a financial decision to stop supporting Romania, I get that, but I still find it insulting nonetheless).

Crunchyroll

Finally we came to the last one in our list. Please be aware, though, that what I'm about to write is a, mostly, historical piece about how things were back at the time.

For a long time (I don't even know since when but it's been the case at least since I joined them), Crunchyroll has somehow allowed you to stream their content without actually necessitating to activate the Widevine CDM in your web browser.

I don't know if they've ever officially supported that, since as far as I can tell, their website always warned that you should enable it to have it work, but unofficially, if you kept it disabled, either intentionally or unintentionally, the page you'd load would warn you that you need to turn it on but, eventually, the video would still load without any issues.

Yes, that's right. You used to be able to watch Crunchyroll videos entirely unprotected, no CDM required, at your leisure.

That. was. AWESOME.

Key words being “used to”.

At some point in the past (I think late 2023?) they've patched their Javascript implementation and now their website correctly detects whether you have the CDM disabled or not. If you do have it disabled it doesn't allow you to stream anymore.

So this obscure workaround doesn't actually work anymore, as of the posting of this blog post.

I am tremendously sad by this outcome, I'm not gonna lie.

Crunchyroll, the last bastion of hope that I had for a free web has betrayed me, and now I am forced to enable my Widevine CDM again, just to watch Crunchyroll videos again.

Conclusion

I know what many people are going to tell me: it's selfish of me to want for streaming services to disable the only means that they have for protecting their content just because of my personal puritan ideology of hating proprietary software.

I get it, I really do.

That's why, in the end, I decided to still keep my Crunchyroll subscription.

Because, even though I'm unhappy with how things turned out to be, I realize that what I want is pretty much impossible to implement: I want full complete control over my own hardware and everything that runs on it (i.e. the free software philosophy, in a nutshell) but I also want to be able to stream copyright protected videos through that hardware as well (which requires at least some proprietary closed-source components to implement the necessary protections).

This is a contradiction that has no solution. In fact, this isn't even a technical dilemma, the way I always thought of it, but merely a philosophical one.

The only way to reconcile on this is to make some compromise: either I give up on streaming media on my PC entirely and embrace a fully open and free software ecosystem, or I decide to allow media streaming on my PC, in which case, I have to install at least some proprietary software to allow for its protection and copyright enforcement.

Ultimately, I made the decision that any weak willed individual would make and I eventually caved in and enabled the Widevine CDM. It was a choice, a painful choice, but a choice I needed to make.

Some might argue that it was the wrong choice and, to be honest, I wouldn't necessarily even disagree with them. Compromising on one's own ideals because of convenience is never an easy pill to swallow, but I did.

Still, it is because of this decision that I still get to watch Crunchyroll streams to this day, and maintain my anime blog as well.

So I guess at least some things worked out, for better or for worse.

Still, I can't help but wish for a better world: a world that maybe copyright holders decide to be more trusting of their consumer base and would allow them to watch their media without having to devolve to such barbaric and convoluted processes just to prevent piracy.

Because, as many people have shown in the past, DRM is nothing more than additional hoops that are added to discourage piracy. It does not guarantee that piracy will never happen.

And time and time again it's been shown that pirates, for better or for worse, will get their hands on said protected media one way or another, through various means, and the end result is always the same: DRM just acts as a minor impediment in the grand process of breaking the protection schemes.

The people that always end up suffering the most when DRM is added to products are the lawful consumers.

Blog post by Alexandru Pentilescu.

You may contact me at alexandru.pentilescu@disroot.org

Optionally, you may also encrypt your emails to me using the following PGP key: 0xFF49E5748BD42A6A6A7DECFDD38B28DF9F7497A2

Download that key from any keyserver you wish