AFAIU the argument is more that youtube-dl is effectively a web browser and doesn’t do anything that a web browser doesn’t do. Further, it does not include any “secret” key for DRM circumvention like might be bundled with e.g. Chrome in the case of Widevine, where browser vendors agree to protect the secret key.
"youtube-dl stands in place of a Web browser and performs a similar function with respect to user-uploaded videos. Importantly, youtube-dl does not decrypt video streams that are encrypted with commercial DRM technologies, such as Widevine, that are used by subscription video sites, such as Netflix."
"We presume that this “signature” code is what RIAA refers to as a “rolling cipher,” although YouTube’s JavaScript code does not contain this phrase. Regardless of what this mechanism is called, youtube-dl does not “circumvent” it as that term is defined in Section 1201(a) of the Digital Millennium Copyright Act, because YouTube provides the means of accessing these video streams to anyone who requests them. As federal appeals court recently ruled, one does not “circumvent” an access control by using a publicly available password. Circumvention is limited to actions that “descramble, decrypt, avoid, bypass, remove, deactivate or impair a technological measure,” without the authority of the copyright owner."
The (English) phrase is used verbatim in the (German) 2017 LG Hamburg claim and verdict. It is not explained there, nor did the claimant explain where they got it from. I’m assuming that it’s based on a misunderstanding of “rolling codes” [1], an actual cryptographic technique, which isn’t applied here (the only overlap is that the “s” parameter of the YouTube video URI varies for certain videos; and, well, the key in rolling codes also varies).
Interestingly that verdict also claims that URL encoding is a valid, effective encryption measure (I’m not kidding! See [2]; the German word here is “Prozentcodierung”, i.e. percent-encoding).
The court in question (LG Hamburg) is infamous in Germany for its technically illiterate, consistently laughable verdicts in IT-related cases (this isn’t a recent thing — it’s been going on for about two decades).
Right, but the law makes no mention of secret keys, it just says you can't go around anything that controls access to a copyright work; and you can't provide tools to do so. The actual legal definition of tools covers both actual technical purpose as well as marketed purpose. Rebranding, say, OBS as "Recorder for YouTube" and talking about how you can use it to get around YouTube's downloading protections by screencapping the entire video would possibly constitute a 1201 violation.
There's also another question of law, though: does 1201 apply when only the intent of the DRM has been circumvented, as opposed to it's technical scope? In other words, does pointing a camera at a monitor constitute circumvention of DRM under section 1201? Most DRM can't actually validate, say, that a human is watching instead of a camcorder. (Let's ignore pesky things like Cinavia which are more akin to post-piracy frustration techniques, and easily circumvented with any kind of Free media player.) Likewise, YouTube's rolling cipher can't really validate that it's not sitting inside of an instrumented browser that will dump whatever URLs it grabs. Our hypothetical OBS rebrand wouldn't actually be a 1201 violation unless the law specifically covers things that DRM can't technically enforce but would like to.
The rebuttal to your reasoning is in the letter. Basically a federal judge has previously ruled that utilizing a publicly available password is not circumvention of a copyright protection mechanism. The code containing the "sig" (as google calls it) or "rolling cipher" (as RIAA calls it) is available to anyone by viewing the JavaScript. This sig / cipher being public means it is not a copyright protection mechanism.
The detail of the “publicly available password” case [1] is quite interesting. It’s not directly analogous to the YouTube system, but as the EFF points out, the RIAA’s reliance on German law has its own problems.
> When Petrolink learned that one of its largest customers, EOG Resources, might switch over to Digidrill’s visualization service, Petrolink took action. Instead of paying Digidrill for access to the corrected drilling data via LiveLog, Petrolink obtained a laptop running DataLogger – along with the corresponding USB security dongle – and then, after realizing DataLogger used an open source Firebird database, managed to gain access to the database by using Firebird's default administrator username and password. Armed with this access, Petrolink developed a program named “RIG WITSML” (dubbed “the scraper” or “the hack”) that could be installed on an MWD company’s computer running DataLogger in order to – in real time – query corrected drilling data from the DataLogger database and transfer that information to PetroVault for visualization. Petrolink then began installing this RIG WITSML program on MWD computers running DataLogger at more than 300 well sites.
> This sig / cipher being public means it is not a copyright protection mechanism.
I can see this as ending up with Youtube being forced to require sign-ins. Massive expense for Google. Then Youtube-dl adds one parameter for the password, and we're back to square one.
Google quickly kills any iOS/Android app that offers offline playback functionality for YouTube, so I can't imagine they love youtube-dl. They probably only haven't made a stink because it might attract more attention to a tool primarily only known about in techhead circles.
I think the difference is that offline playback and background playback on iOS/Android can be unlocked through YouTube Premium so those apps directly interfere with YouTube's bottom line. YouTube-dl I don't really see as directly competing with that because it's not trivial to download a YouTube video from it to your phone.
And given how unlikely people are in the wider non-technical audience to god-forbid, run a command line program, I guess they really just don't care.
They do take easily accessible apps that use youtube-dl under the hood pretty seriously. I guess it depends on how much of an effort it is for them vs how much of their bottom line ytdl is cutting into.
Yes it does. I go to the page (ad), copy the URL, and youtube-dl.
More critically, Youtube relies on network effects and people using it. Part of the reason we share family videos, educational content, and other things is so it's, well, shared. For me, the reasons to use Youtube-dl are:
1) People in bandwidth-constrained settings. If I post my videos, and colleagues in some countries can't watch them, I'm going elsewhere.
2) Remixing. If I can't make collages of family videos, I'm going elsewhere.
Youtube can serve masters like me, where it's an effective platform for sharing videos I want people to watch, and where the goal is dissemination. It can serve masters like the RIAA and the MPAA, where the goal is monetization and control. It will have a hard time serving both.
I suspect if it tries, people like me will go to someone who caters to us. A YouYesYouNoNotTheRIAAYesYOUTube. If we do, I think there will be enough of a network to start to syphon people off, and eventually, cat videos and Aunt Alice will be on YYYNNTRYYT.com, while corporate video will be on DRMed Youtube.
Perhaps more importantly, the number of people using youtube-dl because it allows you to watch videos without ads almost certainly pales in comparison to the number of people just using adblockers. Youtube-dl makes you wait.
Downloaded videos often get remixed into other videos that generate ad revenue. Commentary, reaction videos and compilations are substantial parts of youtube.
How many people downloaded Shake It Off with youtube-dl vs. the people who watched it from the official YouTube app or stock Google Chrome? youtube-dl does not nearly threaten their revenue in any tangible way.
Yes, but is there any indication that they work against youtube-dl in some specific way? Adversarial actions like changing youtube to render youtube-dl non-functional?
Youtube has to listen to the RIAA's demands because music and music videos are a huge portion of their traffic. The music industry could decide to move all that to Spotify if they chose.
They took that poison pill already, I really, really doubt they ever new pop music stops being part of youtube in the future, the audience is too large. It would be like them taking music off of the radio because people could record it on reel-to-reels. They might stomp around a bit and try to use the law to get what they want, but when push comes to shove the big labels will keep their music on youtube.
I am not that afraid that google would require sign-ins for everything. Even google with its massive market dominance should be pretty scared of given such a clear opening for a competitor, and being accessible without a login is a huge feature in order to get market share quickly compared to a competitor that does not.
The developers are not responding to the issue, and from what I understand it is borderline impossible to fix, because there is an entire security team behind the Google login protection. The only workaround is to login with a browser and copy the cookies from it to youtube-dl.
I'm pretty sure that is what they mean, yes. It is a nice tool. Lets you write HTTP(S) templates with parameters and whatnot, save them in groups, send them, handle the response, etc.
Why not simply create a youtube-login command that does nothing but launch an electron instance that lets you login into youtube and then returns the cookie?
youtube-dl could then call that command to obtain the cookie.
Content with a certain age threshold triggers login. The last time I looked at this, embedding these videos was still possible without logging in. So there are definitely ways in accessing the content without authentication.
Hm. If embedding works maybe my ad-blocking is sufficient; or I just haven't come across any that require it. I mostly just watch woodworkers/machinists/electronics/etc. Sort of conceivable it could be age restricted but would also be surprising.
Yes, it would be problematic if, for example, Samsung was marketing their latest flagship as "Our dark-light technology means you can take nearly pixel-perfect video of movies while you watch them in the movie theatre!"
> Likewise, YouTube's rolling cipher can't really validate that it's not sitting inside of an instrumented browser that will dump whatever URLs it grabs.
What is the criteria for differentiating between youtube-dl and a "browser"?
In this case a “browser” is a YouTube client that copyright holders are happy with, because it doesn’t provide any simple way of saving offline copies.
Sure, it would be "effectively a web browser". But it would also require a secret key. If the program is not licensed to hold the key, that could be considered circumvention.
I even sidestepped the obvious of loading widevine.so, running it, symbolic execution, etc. It's mostly a thought experiment to show how everything is stupid in the end.
I'm afraid in a few months/years, we'll see the hardware security level to become mandatory for Netflix, etc. And then YouTube.
In the old days, someone who wanted to send you this kind of content would build and sell hardware for you to receive and play it (like a DVD player).
Online streaming services have, in part, scaled so quickly because they run on the general-purpose computers that people already own. So they don't need to bear that hardware cost. These general purpose computers have been fertile soil to grow and nurture the seeds that software companies scatter to the winds.
How interesting it would be if it comes full circle with specialized hardware being required on each PC to receive the content stream.
That kind of "pull the ladder up behind you" strategy would be a natural thing for today dominants players to try. They benefited from an open playing field, but now they no longer need it. If they succeed, they have established a massive moat to stave off competition. If they manage to get it into standards and legislation, then undoing it would require a tectonic shift.
Google is especially well positioned for this - Chrome, Google Search, Android and Youtube being potentially very effective places to do DRM media gatekeeping. "don't be evil" had to go from their mission statement. Maybe "universally accessible" will be next...
The way they do it is to bake DRM mechanisms into platforms. Intel ME, AMD PSP, Apple T2 chip/SE, those secondary computers bear the DRM hardware features, so end product manufacturers don’t have to handle it.
It's still going to be hardware everyone already owns, just with specific features. It's not a separate purchase of a dvd player, you're buying a phone that has the licensing chip built in
Isn't the Widevine password essentially public as it is distributed to the client where it was extracted? Or was the Widevine key somehow stolen from Google's private repository?
There are multiple widevine keys, some are in CPU memory (shipped with the client software), some are in trusted enclaves on devices. Some of the trusted enclave keys have been dumped from hardware (nexus 6 for one, iirc) and eventually those keys were revoked or downgraded
I wonder if the RIAA will now be putting pressure on YouTube to use the same DRM as Netflix, so that when a video is downloaded they can’t use this ‘it’s just a browser guv’ defence because there would then have to be some circumvention to make it work.
But it doesn't really work: If you protect your house with no lock, not even a door, but just a little rope with a sign on: "Do not jump over or duck under this ribbon, or cut it!", that's, for the DMCA, enough - so you get into fun games where you claim that, say, a long random unique key that is right there in the HTML youtube.com serves which links to the video is a 'security measure' and that 'I shall read the URLs in this <video> tag and download what I find there instead of showing it on the screen' is 'circumventing this'.
How far can you stretch the meaning of 'circumventing access-control measures' before, in court, you lose your argument? I don't think anybody quite knows yet, but surely github doesn't want to be on the hook for it without microsoft's legal team and management signing off on the risk.
Furthermore, separate from DMCA's hacking provisions, there is simply the concept of who is responsible for any copyright infringement caused by stuff github hosts. As per 17 USC §512 (the so-called 'safe harbor provision'), the idea of claiming 'hey I just host this stuff, I'm not responsible for this, why dont you take it up with whomever uploaded this' is codified: You can do that, but it does mean that you _MUST_ take down the content in response to a takedown notice, and if you don't, then you are now liable any infringement that content makes.
The idea is that the owner of the data files a counterclaim notice, at which point the hoster (github) is free to re-host everything without opening itself up to liability, but only if, as per 17 USC §512, they do so 'no less than 10 days and no more than 14', and github did it in 1 day, so whoopsie there I guess.
At that point it does turn into a fight between claimer and counterclaimer: The idea behind those 10 days is that the supposed real content owner can then go file in court against the counterclaimer; merely filing a lawsuit is enough: Show that to the hoster (github), and they can no longer re-enable the content without then being liable for infringement by doing so.
You can't file a counterclaim until your content is removed.
Yeah, that means an utter bozo can take your content down for at least 10 days and there is nothing you can do about this. The DMCA is not particularly well designed in this manner (it doesn't protect against trolly crud well, and getting a barratry verdict in the US is borderline impossible). But that's how it works.
In github's shoes, the fact that youtube-dl doesn't infringe is relevant only insofar that they are willing to ride that notion allllll the way to the gavel in the ensuing court case, because they will be defendants if they ignore the takedown request. Presumably they weren't going to just do that without at least a close look by microsoft's legal team, and a signoff from the big wigs for the likely millions this will cost, given that US law in these matters is... well, have you ever seen one of those shows where 2 people are on a beam and trying to knock the other one off with a giant q-tip? US law is like that, except the ends of the q-tips are moneybags.
> "Do not jump over or duck under this ribbon, or cut it!", that's, for the DMCA, enough - so you get into fun games where you claim that
No. There must be an effective technological measure (objectively, according to the state of the art); see https://www.law.cornell.edu/uscode/text/17/1201 (a)(1)(A): No person shall circumvent a technological measure that effectively controls access to a work protected under this title.
This law article is utterly hilarious and self-contradictory.
No-one should be able to circumvent "a technological measure that effectively controls access", by definition.
If someone does circumvent a measure intended to control access, this proves that the measure was not, in fact, effective, thereby rendering the entire article inconsequential.
The lock at your door is also assumed to effectively control who can open it, but as we know keys can be dupplicated. However, it is not possible to copy it without access to your original key and the necessary effort. This is sufficient for the legislator. It would be different if you hung your key on the outside of the door a priori, like Youtube does.
GP was speaking metaphorically, following your (GGP's) metaphor. For some reason, you abandoned the metaphoric level and misunderstood this to be about real keys and locks.
For many and most physical keyed locks, you can decode the lock with special picks or impressioning tools. It can be pretty time and skill intensive though.
