this post was submitted on 23 Jul 2023
85 points (97.8% liked)
Explain Like I'm Five
14235 readers
39 users here now
Simplifying Complexity, One Answer at a Time!
Rules
- Be respectful and inclusive.
- No harassment, hate speech, or trolling.
- Engage in constructive discussions.
- Share relevant content.
- Follow guidelines and moderators' instructions.
- Use appropriate language and tone.
- Report violations.
- Foster a continuous learning environment.
founded 1 year ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
It stands for digital rights management, and basically it's anything that attempts to manage how you use your hardware.
For example, Keurigs that use the qr code to tell the size of the pod are an example of DRM - they attempt to keep you from using 3rd party pods (I think they walked this back).
It's also a great example of how it's more an annoyance that makes the product worse than anything else - you could tape an "official" pod wrapper to the top and it will work with any pod. It also makes it less sanitary and if the wrapper shifts it introduces extra steps between you and your coffee, which should be a criminal offense
It's next to impossible to fully control a device in someone else's hands. YouTube videos use DRM, but you can find plenty of ways to download them in an open format anyways.
The exception is when they call out to a remote server - a lot of video games do this (unfortunately even single player games do this a lot now). They might check for ownership before you start the game, but lately they've been drilling holes in the security of your computer so they can make sure you haven't modified it (even for single player games!), which should also be criminal.
This is much harder to crack, but it can still be done.
Then you get to DRM that runs on both sides, which is what this proposal is. They basically want a 3rd party "attester" to verify that your browser is "legit" (what they mean by that is kept pretty vague). Then, when you access a site, the site checks your request, confirms with the attester that your browser is "legit" and will run their code on your machine as written, and if the attester doesn't give the all clear they send you an error page instead of the site you asked for.
So let's go through some of the concerns I have after reading through the proposal:
Many sites decide Firefox, as the only major browser not based off Google's browser engine, isn't "legit". Already, some sites block Firefox, so this is very likely
Anyone can set up an attester, but sites can decide which they trust. The attester has a lot of access to data which can positively identify you, but they're only supposed to send a bit of it. If Facebook decides they only trust their own attester, they're probably not going to pass up collecting as much data as they can. That could include everything from the phone you have, the apps you have installed. Facebook doesn't need to know where I bank, but if their attester becomes standard, they might get that info even if I never use a Facebook product. Or, all attesters might decide to sell data as their business model
The only privacy considerations seem to be "we had privacy advocates in the group that drafted this proposal". If this is true, I'm not sure who they were, because privacy didn't come up too often
There's zero reason for this to exist, except to lock down our devices. This benefits corporations - it offers absolutely nothing to users. There's no way it could ever offer anything to users. .
All it does is let websites block users based on vaguely defined criteria - it's a proposal so the details are vague, but the most generous reading would be that they could restrict you based on browser, the least generous reading means everyone could tell you to uninstall a competitor's app before you can use theirs (and selling every scrap of information about you imaginable)
I'm not so certain about that. I wouldn't know the exact implementation or if it is possible/feasible, but couldn't this 3rd party attester cut down targeted attacks to servers? (Like DDoS attacks or other server vulnerabilities).
Not AT ALL saying that the ends justify the means in this case. Google can fuck right off with any claim to security or privacy, but that's my first thought to an actual benefit.
How would a 3rd party attester cut down on DDoS attacks?