Web DRM, an Overview (2) - Encrypted Media Extensions (EME)

Web DRM, an Overview (2) - Encrypted Media Extensions (EME)

The previous article: Web DRM, an Overview (1) - Digital Content Protection concluded that while most online resources using DRM cannot perfectly prevent users from copying content privately, there are Web DRM standards for basic video encryption protection. These standards at least prevent unauthorized users from easily accessing videos.

About EME and Web DRM

In 2017, amidst controversy, W3C passed the Web DRM standard, also known as EME (Encrypted Media Extensions). EME is essentially a universal specification for different DRM manufacturers to communicate using the same standard, with each manufacturer implementing their own encryption and decryption technologies.

This standard has been in existence since 2012 as an unofficial standard among browsers, existing in a closed-source CDM (Content Decryption Module) form in browsers. Therefore, W3C's passage of the EME standard merely formalized and upgraded it to an official standard, despite significant controversy and skepticism from advocates of internet openness. See: "W3C Blog: On EME in HTML5."

If W3C did not recommend EME then the browser vendors would just make it outside W3C. If EME did not exist, vendors could just create new Javascript based versions. And without using the web at all, it is so easy to invite ones viewers to switching to view the content on a proprietary app. And if the closed platforms prohibited DRM in apps, then the large content providers would simply distribute their own set-top boxes and game consoles as the only way to watch their stuff.

— Tim Berners-Lee

Since EME is a standard, the actual identity verification and encryption/decryption are carried out by the CDM module specified in the standard, developed by individual DRM vendors. Under the EME standard, a website or application can use the same interface or keys to handle encrypted content from different DRM vendors, as long as the encryption format of the video is determined beforehand.

The main popular DRM vendors under the EME standard includes Microsoft's PlayReady, Google's Widevine, and Apple's FairPlay, each corresponding to different browsers:

  • Chrome: Widevine

  • Edge, IE11: PlayReady

  • Firefox: Widevine

  • Opera: Widevine

  • Safari: FairPlay

There is also a ClearKey which does not depend on any vendors and it is cross-brower, you can implement it for development or testing use.

The advantage of using the EME standard is that you can encrypt your videos in multiple ways, and then decrypt them with the same key and program on different browsers, automatically recognizing the encryption method. CDM itself is closed-source, so hackers cannot access your decryption algorithm as they could with reverse-engineered JavaScript code. Therefore, compared to developing your own encryption/decryption mechanisms, security is further enhanced.

Start Using EME to Protect Video Resources

For businesses wanting to try EME protection, the fastest way is to choose an authorized third-party service provider, such as EZDRM, Axinom, castLabs, etc. You can find globally authorized manufacturers from the following DRM pages:

Here are some third-party service providers we are aware of, listed without recommendation or in any particular order:

  • Axinom

  • BuyDRM

  • CastLabs

  • ExpressPlay


  • Inka Entworks

  • Vualto

  • Verimatrix

After signing a contract with these manufacturers, they will provide back-end or related SDKs, and enterprises can use their servers as content authentication hosts to verify users' video authorization range. They usually support multiple encryption CDM modules. They also provide video encryption methods. After encrypting the video with these tools, it is then distributed to users' browsers. The videos downloaded by the browser cannot be played by ordinary players but must be decrypted in real-time by the decryption module on your website.

If you simply want to host videos, there are also dedicated DRM platforms for video hosting. You just need to upload videos from their backend and embed them on your website to use them. These platforms even offer dynamic watermarking features, creating different video watermarks for each viewer to prevent recording. However, note that this real-time watermark creation mechanism is relatively more expensive.

What Business Models Are Available

Most DRM and agents support several business models, which can be chosen according to enterprise needs:

  • Pay by duration

  • Permission based on authorization status

  • Pay-per-use

  • Short-term rental

  • One-time purchase

  • Ad-supported models

And video resources can be distributed in two common modes:

  • Complete download

  • Progressive download (download as you play)

These features, whether Widevine or PlayReady, are provided on major platforms with ready-made management modes and SDK packages, allowing developers to focus on the architecture for commercial logic.

Can I Set Up My Own Licensing Server?

If you prefer not to use third-party licensing providers and wish to set up your own Widevine or PlayReady server, it's possible but more complicated. For Google Widevine, general public access to the Server SDK isn't available. You need to apply to become their distributor and pass a test to get the server code. While PlayReady offers free server tools, you still must contact Microsoft to obtain the server SDK. Practically, it's often advised to start with a reputable DRM partner for faster business model implementation.

Can I Build My CDM Module Without DRM Vendors

The ClearKey protocol is available for any browser, you may simply implement ClearKey to build your own encrypt/decrypt logic for your media resources. However, you must know that ClearKey uses unencrypted keys to decrypt resources, it is not very safe to protect your data, so we recommend only using ClearKey for the test process.


EME and Web DRM provide a universal encryption mechanism across manufacturers, filling a gap in HTML5 environments akin to DRM mechanisms in Flash and Silverlight.

However, even with EME, it's not 100% piracy-proof. It increases the difficulty of unauthorized access and reduces the quality of the resources obtained. For instance, Widevine's L1 encryption has been claimed to be cracked by certain groups, but not publicly, while L3 encryption is more commonly broken into, albeit with lower quality.

As mentioned in the previous article, replay and recording attacks are undefendable since any content eventually needs to be converted into physical signals visible to the naked eye, and these signals can be recorded by additional devices.

Web DRM primarily verifies user payment and access rights to specific resources. For those intent on copying resources elsewhere, it remains ineffective.
If you're seeking to protect all your digital assets from being copied, EME can only increase the difficulty but cannot provide absolute assurance of perfect protection.