Web DRM, an Overview (2) - Encrypted Media Extensions (EME)
The previous article: Web DRM, an Overview (1) - Digital Content Protection concluded that while most online resources using DRM cannot perfectly prevent users from copying content privately, there are Web DRM standards for basic video encryption protection. These standards at least prevent unauthorized users from easily accessing videos.
About EME and Web DRM
In 2017, amidst controversy, W3C passed the Web DRM standard, also known as EME (Encrypted Media Extensions). EME is essentially a universal specification for different DRM manufacturers to communicate using the same standard, with each manufacturer implementing their own encryption and decryption technologies.
This standard has been in existence since 2012 as an unofficial standard among browsers, existing in a closed-source CDM (Content Decryption Module) form in browsers. Therefore, W3C's passage of the EME standard merely formalized and upgraded it to an official standard, despite significant controversy and skepticism from advocates of internet openness. See: "W3C Blog: On EME in HTML5."
— Tim Berners-Lee
Since EME is a standard, the actual identity verification and encryption/decryption are carried out by the CDM module specified in the standard, developed by individual DRM vendors. Under the EME standard, a website or application can use the same interface or keys to handle encrypted content from different DRM vendors, as long as the encryption format of the video is determined beforehand.
Edge, IE11: PlayReady
There is also a ClearKey which does not depend on any vendors and it is cross-brower, you can implement it for development or testing use.
Start Using EME to Protect Video Resources
For businesses wanting to try EME protection, the fastest way is to choose an authorized third-party service provider, such as EZDRM, Axinom, castLabs, etc. You can find globally authorized manufacturers from the following DRM pages:
Here are some third-party service providers we are aware of, listed without recommendation or in any particular order:
After signing a contract with these manufacturers, they will provide back-end or related SDKs, and enterprises can use their servers as content authentication hosts to verify users' video authorization range. They usually support multiple encryption CDM modules. They also provide video encryption methods. After encrypting the video with these tools, it is then distributed to users' browsers. The videos downloaded by the browser cannot be played by ordinary players but must be decrypted in real-time by the decryption module on your website.
If you simply want to host videos, there are also dedicated DRM platforms for video hosting. You just need to upload videos from their backend and embed them on your website to use them. These platforms even offer dynamic watermarking features, creating different video watermarks for each viewer to prevent recording. However, note that this real-time watermark creation mechanism is relatively more expensive.
What Business Models Are Available
Most DRM and agents support several business models, which can be chosen according to enterprise needs:
Pay by duration
Permission based on authorization status
And video resources can be distributed in two common modes:
Progressive download (download as you play)
These features, whether Widevine or PlayReady, are provided on major platforms with ready-made management modes and SDK packages, allowing developers to focus on the architecture for commercial logic.
Can I Set Up My Own Licensing Server?
If you prefer not to use third-party licensing providers and wish to set up your own Widevine or PlayReady server, it's possible but more complicated. For Google Widevine, general public access to the Server SDK isn't available. You need to apply to become their distributor and pass a test to get the server code. While PlayReady offers free server tools, you still must contact Microsoft to obtain the server SDK. Practically, it's often advised to start with a reputable DRM partner for faster business model implementation.
Can I Build My CDM Module Without DRM Vendors
The ClearKey protocol is available for any browser, you may simply implement ClearKey to build your own encrypt/decrypt logic for your media resources. However, you must know that ClearKey uses unencrypted keys to decrypt resources, it is not very safe to protect your data, so we recommend only using ClearKey for the test process.
EME and Web DRM provide a universal encryption mechanism across manufacturers, filling a gap in HTML5 environments akin to DRM mechanisms in Flash and Silverlight.
However, even with EME, it's not 100% piracy-proof. It increases the difficulty of unauthorized access and reduces the quality of the resources obtained. For instance, Widevine's L1 encryption has been claimed to be cracked by certain groups, but not publicly, while L3 encryption is more commonly broken into, albeit with lower quality.
As mentioned in the previous article, replay and recording attacks are undefendable since any content eventually needs to be converted into physical signals visible to the naked eye, and these signals can be recorded by additional devices.
Web DRM primarily verifies user payment and access rights to specific resources. For those intent on copying resources elsewhere, it remains ineffective.
If you're seeking to protect all your digital assets from being copied, EME can only increase the difficulty but cannot provide absolute assurance of perfect protection.