Privacy implications of browsers’ (mis)implementations of Widevine EME (2023)
58 comments
·June 16, 2025tgsovlerkhgsel
NooneAtAll3
I wish it was possible to auto-reject it instead of constant pop-ups
mjevans
I detest auto-play videos and in fact am usually happy when some random news site I'm reading an article on gets blocked by not having DRM.
tgsovlerkhgsel
That's the thing though - I don't think it blocked videos on the site, if there even were any.
__MatrixMan__
That has been my experience too. Brave asks me if I want to install widevine, I say no, and then nothing appears broken.
486sx33
[dead]
1vuio0pswjnm7
Popular web browsers way too complex, far too difficult to control.
Simpler software could satisfy web users.
Could reduce potential for surveillance and annoying distractions. Easier to audit and control.
kbrosnan
No, simpler software is not accepted by the general public. For a few years Firefox rejected EME/Widevine. When Netflix does not work then they will just use a browser that works.
conception
We should have stopped with gopher. I’m not even sure I’m joking.
jwrallie
Interestingly, DRM is also being used by Signal for privacy concerns over Windows Recall, as discussed on HN [0] previously.
sodality2
"Used" is a strong term, they're not really utilizing the DRM codepaths, AFAIK it simply tells the OS that the window is software that does use DRM and thus should be excluded from any screenshots. The existence of DRM and desire of Windows to abide by its rules are what Signal relies on.
AnthonyMouse
That's more of a double-edged sword hack than "using DRM". The theory of DRM is for the system to restrict the content from the user, i.e. the system is adversarial to the user and vice versa.
What Signal is doing is trying to get the system to restrict the content from the rest of the system. Which might work as a transient hack but doesn't actually work to protect the user when the system is adversarial, because Microsoft (the adversary) has the DRM private keys. Even some hypothetical DRM system which is effective in oppressing the user wouldn't prevent Microsoft from purloining the user's data whenever they want because they're the ones who make the DRM.
Dylan16807
> because Microsoft (the adversary) has the DRM private keys
Let's be clear here. That's a fine point in the generic sense, but in the Signal situation there are no private keys and it's not really DRM.
AnthonyMouse
It kind of is though?
Suppose a third party app wants to make screen captures. Windows prevents it, because otherwise it could do the same thing to Netflix and capture the video. The thing preventing the app from bypassing that constraint is DRM.
Whereas suppose Microsoft wants to distribute an update to the video rendering code in Windows. It will have access to the data on the screen because it's the thing converting it into pixels, so Microsoft signs the new code with their private keys and distributes it to your PC and it gets access to what's on your screen. Which they could also do with code designed to exfiltrate it.
bitpush
Microsoft cant and will not break that trust, because then Netflix and others will stop serving content to Microsoft products.
This is similar to HTTPS certificate chain of trust. The root signing authority needs to be trusted, but once you break that trust there's no going back. It is a self-regulating system.
kevincox
I believe that they could just ignore the Signal app's request to DRM protect the content. Unless Signal is actually encrypting the whole app content before submitting it to Windows it is just a request.
This is a bit different to encrypted video where it is actually being encrypted off device.
AnthonyMouse
Why does Netflix care if Microsoft is hoovering up all the user's data? Why would they even care if Microsoft was giving itself access to the Netflix streams? Unlike with Signal there are no real secrets in there.
Plus, what is Netflix even going to do? Stop supporting streaming on Microsoft platforms and then lose a bunch of subscribers for no benefit to themselves?
exceptione
(I had to editorialize to get the title within the limits)
JCattheATM
I flat out have DRM disabled in my browser. If I really really need it, then that's what VMs and VPNs are for.
kiney
I'm curious what are those use-cases where you really need it? I have DRM disabled since forever and never experience any problems that I can relate to that.
Groxx
Music and TV/movie streaming, and that's about it afaict. I've got it disabled too, and I essentially never see issues unless I go to Netflix.
Tijdreiziger
News videos don’t always work without it either.
Aerroon
Which really makes you wonder why so many people fought hard to get it into the browser.
null
msgodel
I think spotify doesn't work without it but I switched back to keeping all my music local long ago.
kiney
ok, never used that...
bevr1337
Streaming television
neilv
Same here. For one interim pragmatic purpose, I do have a dedicated setup that has DRM, which I use only for that purpose. I hope to get rid of the nasty DRM altogether in the future.
(For the browser part of the DRM setup, I use Chrome/Chromium, the violate-me-all-the-ways browser. For all other browser purposes, I use both Firefox, the violate-me-fewer-ways browser, and Tor Browser, the draw-fire-of-state-actors-but-thwart-techbro-actors browser.)
shmerl
Not surprising at all.
mattl
Yeah this feels very much the point of DRM in browsers. I will never understand why Firefox caved. This is 100% the kind of thing they should fight.
bevr1337
They "caved" because it's a browser for humans and lots of humans stream TV. I don't miss the daily "how can I watch Netflix on Ubuntu?" posts in different communities. Users can disable Widevine in FF.
userbinator
The answer should be "go sail the high seas."
mattl
I’d be surprised if close to 100% of those users aren’t using Chrome, not Firefox for any streaming purposes.
Dylan16807
This is the point? Not preventing screen capture?
wizardforhire
In this day and age I dont understand why there isnt a more successful fork of firefox or a new opensource browser thats more succesful with privacy as a concern. My only speculation is collective lazyness and lack of sex appeal as new technologies have emerged. I’m probably biased as I lived through the browser wars. I guess I’m probably projecting combined with curiosity. I know most of the old greybeards have moved on and those of us left are stuck carrying the torch, but man it sure seems the culture has been eroded significantly. Case in point back in my day it seemed like there was a new browser every few months or so. I’m done ranting, I’ve got kids to yell at to get off my lawn.
ipaddr
Many forks exist like LibreWolf
Eisenstein
Brave is such a browser but seeing as it is backed by Thiel's VC money and involves a crypto monetization incentive for the user (which can easily be turned off, btw) it evokes strong emotions in people who are rightly averse to such things. However, it does do pretty much everything privacy advocates ask for as soon as you turn off a few settings. I use it and would recommend it for people who want a anti-tracking, anti-ad browser if you can live with the drama around it.
mattl
WebKit seems to be doing at least some of that, rejecting some of the more invasive new web APIs. Why does my browser ever need to know my battery status?
charcircuit
I don't understand why anyone would bother forking Firefox when forking Chromium is available which is more advanced and more modular.
>or a new opensource browser
Brave browser fulfills that role.
baybal2
[dead]
I've set DRM to require explicit approval in the browser, and I've seen random web sites that have no obvious reason to do so randomly request the permission.
I don't know what exactly causes this, since it's intermittent (the same web site doesn't always do it) and happens even with various ad and tracking blockers in place.