White paper: Your DRM Can Spy on You, Too

Your DRM Can Watch You Too: Exploring the Privacy Implications of Browsers (mis)Implementations of Widevine EME

In searching for information about Google Widevine, I happened upon the above 2023 study at arxiv.org. The full paper (PDF) is linked there.

Firefox says:

Firefox for desktop supports the Google Widevine CDM for playing DRM-controlled content. Firefox downloads and enables the Google Widevine CDM by default to give users a smooth experience on sites that require DRM. Firefox downloads and enables the Google Widevine CDM on demand, with user permission, to give users a smooth experience on sites that require DRM. The CDM runs in a separate container called a sandbox, and you will be notified when a CDM is in use.

Even more all foss floss, opensource oses enable all drm by default it is not just firefox-drm.

Firefox doesn’t enable it by default; it presents a prompt (when a site requires it) that allows the user to enable it or not.

And at least some Linux distros, e.g. Linux Mint, give you the choice of installing multimedia codecs, which, as far as I know, don’t include DRM.

Looks as if I don’t have Google Widevine installed at all in Firefox. I guess I always said “NO” for the occasional web site that wants to play DRM. I think the prompt is:

Of course, there’s an element of pester power. There’s probably no way to turn off that prompt and always have DRM silently fail - and once you enable it then it is permanently enabled unless you specifically find the right settings e.g. deactivate or remove the plugin.

For those that do install the plugin, it’s good that it runs in a sandbox. However, as the whitepaper implies, there are limits to the privacy and security protections that you get from a sandbox. Blackbox code is ultimately a risk. An otherwise pure system becomes tainted.

Supposedly, setting this to false in about:config disables the nag-prompt:

browser.eme.ui.enabled

Mozilla support says:
Opt out of CDM playback, uninstall CDMs and stop all CDM downloads

Yep. Much less from a blackbox application owned by Google. (They bought it from the creators… hmmm, wonder why Google wanted it… )

At a minimum, if enabled, I think it should be run in a separate browser that doesn’t do anything else but the protected video, and maybe even different browsers for different video subscriptions.

I’m not sure if the client ID that’s generated is unique to a browser or the machine itself, but I suppose separate machines might help anyway.

And separate VPN servers/sessions, just to (hopefully) hide one’s real IP address from the process.

That does appear to work. Thanks. (Even so, giving this option only by directly changing a setting rather than in the obvious place in the Settings GUI is a dark pattern.)

Agreed.

Yes, I wondered about that too. If I ever really really had to install and use Widevine, would I get a permanent, irrevocable ID? Does uninstalling the extension cause the ID to get wiped out? (as a slow way of regenerating the ID)

It would be nice if there some way to force the ID to be regenerated (presumably though then causing loss of access to any downloaded DRM-protected content).

For a streaming service, though, it would be worth trying to constantly regenerate new IDs by uninstalling the plug-in, then enabling DRM again. No risk of loss of access to content, as it’s only playable ad hoc / on demand.

But as you said… blackbox.

Mozilla’s sandbox model: Mozilla Process Model

[moderator corrected link formatting]

That document appears to have some limitations and gaps e.g.

• It is quite old (last edit 2019) so who knows whether it is even accurate / current‽
• It is phrased in such a way as to leave plenty of doubt e.g. Notable features which are blocked by the GMP sandbox include: Any system calls not necessary for a media plugin’s normal operation (Linux specific) - OK, at the end of the day then which system calls are actually allowed and are there any oversights in that list?
• Quoting Reading the current time and setting timers - This is a known attack against microarchitectural state i.e. where leakage is used to retrieve memory contents that could not normally be accessed (such as secret keys that the plugin would not normally have access to) and also timing attacks against poorly written secret key handling (again, secret keys that the plugin would not normally have access to). This can be (partly) mitigated by ensuring that only coarse granularity timing can be done in the sandbox but it is not clear whether that restriction applies here.
• Quoting (but attempting to correct the expression) Ideally, we aim to restrict any interface that could yield PII i.e. should be disallowed, but this hasn’t yet been audited. So not audited (at least not in 2019).
• Depending on how the restrictions are implemented, it runs the risk that new interfaces are added or existing interfaces are modified, in such a way that what was solid at the time of implementation is no longer solid. In other words, auditing is not “set and forget”.
• It does not apparently make clear how a GMP maintains permanent state e.g. storing a client ID. (Maybe the GMP process does not itself have access to the client ID. Who knows.)

Summary: I don’t need this kind of crap in my life. Hence why I have not installed Widevine.

I understand that Firefox may be doing the best it can for those who insist on running blackbox code.

There must be the capability for someone with more computer network and programming experience than most of us have, to write a privacy and anonymity tool. So every time any outside app or network intrusion could be stopped by this program and then tell everything to the phone owner about what is happening and giving the phone owner a list of options. Block and go back, block and spoof to circumvent what the other software is trying to accomplish while getting what you want, accept and then immediately delete the cookie you just accepted, etc. The idea is to access that website, to get past that paywall, or to make the intentionally-broken Java script work, without giving away anything about your identity. If it can’t hide your identity or prevent the spying, then one option would be to tell you that so you would have the choice to accept or reject, based not on what the website or other software is telling you, but based on your software’s own ability to do battle on your behalf against all other snooping and anti-privacy software. A companion browsing friend program to help a person exercise their rights and protect their privacy, even through battling the offending software if/when necessary, would sell well, maybe even better than anti-spyware. Any means to block, deceive, spoof, circumvent, mis-direct the other software could be employed on your behalf to keep your phone from ever sending our real data about you. Have the software make up an identity for you to satisfy the needs of some advertisers or web-hosts that require that information. End result: your real identity and ip address remains anonymous or falsely reported, while advertisers and data collectors receive only mountains of bogus data and their cookies re maintained by no one who accepted them to get past otherwise blocked sites.

Every tool out there currently appears to be built to give the privacy violators an advantage. What we need is something that was written to protect the phone owner so effectively that the bad guys get nothing of value from anyone who has these countermeasures installed to their phone.

This is easier said than done.

The context here is that the DRM code is blackbox code. It is running in a sandbox, yes, but you have no visibility as to what it is doing. It is by definition communicating on the network. It is, in this particular case, by definition using encrypted communications - and even if it didn’t need to use encryption, it has the option of doing so or of obfuscating the contents of its communications.

Hence the safe assumption is that its operations and communications are all completely obscured.

Therefore the approach taken is to control what else the blackbox code has access to. Ideally, it has access to no PII but even that requires careful checking and vigilance. However the blackbox code also has the option of fingerprinting and that is harder to defend against.

Probably the only better protection for running blackbox code is to run it on a separate computer, either virtual or real. (That is approximately the approach that I take e.g. preferring to watch catch-up TV on my TV rather than on a computer because the TV is pretty much a lost cause anyway i.e. it’s all blackbox, and even if the TV weren’t at all blackbox, the TV is at least isolated from things that are stored on other computers on the local network.)

In this case, the only defense would seem to require the starting of a new internet with new rules and protocols required of those who opt-in to it. If enough opensource privacy advocates stood their ground, they could basically say “we refuse everything about your internet. We have our own internet. If you want access to us, you have to submit to our terms of service and technical requirements”.