Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Curious if anyone with legal expertise knows if this has legs? They say:

> The clear purpose of this source code is to (i) circumvent the technological protection measures used by authorized streaming services such as YouTube, and (ii) reproduce and distribute music videos and sound recordings owned by our member companies without authorization for such use.

But the "circumventing" is still accessing a stream the user can view anyways, and the "reproduce and distribute" feels like a stretch -- there's no inherent distribution. This isn't anything like a pirating or a torrenting tool.

It feels more akin to when movie studios sued VCR manufacturers for being able to record TV back in 1984 -- and lost [1].

(Also, side note but I have never in my life seen a story upvoted so quickly on HN. 130 points in just 7 minutes so far.)

[1] https://en.wikipedia.org/wiki/Sony_Corp._of_America_v._Unive....



Also, does the fact that YouTube doesn't supply a download feature constitute a "technical protection measure"?

From the RIAA's point of view, it works to their benefit that a download link doesn't exist, and it may be something they like, but that doesn't mean that's why.

It could just as easily be that a download feature doesn't exist because YouTube wants you to keep returning to their site if you want to rewatch a video.

It would be one thing if some YouTube videos had a download button and others didn't. That would suggest that, on the ones where it's missing, it is missing for a reason, and that reason might be DRM. But as far as I know, YouTube doesn't have download for any videos.

Software doesn't always have all the features that end users might want, and the mere absence of a feature doesn't necessarily tell you why it's missing. Also, it's not some weird, suspicious thing to write software which fills in a feature gap in some other software. (Google encourages add-on software on other products, too. For example, Chrome extensions and Gmail add-ons.)

But, maybe there is some legal reason why this could make sense. Maybe some terms of service or licensing (for video uploaders or for regular end users) says not to download something, which would make it clear that the download feature is missing on purpose.


> Also, does the fact that YouTube doesn't supply a download feature constitute a "technical protection measure"?

My understanding is that basically anything at all, if it is in any way "technical" and shows intent, will be accepted as a "technical protection measure" if you go by what has worked so far.

Much more absurd and blatantly bad faith arguments have been accepted, "conspicuously not supplying the feature" is a very strong case in the absurd world of the DMCA cases.


I mean it has to be that way because it would be silly to lose copyright protection just because you have crappy security.


That is not the argument, though. Your copyright is protected regardless of the strength of your security measures. But it is also, separately, illegal to circumvent these measures. This latter prohibition becomes more far-reaching and has more collateral damage the weaker the security measures it applies to, which is worrying.

Outlawing the methods of committing a crime also (instead of just the crime) requires a balancing act between their legitimate and illegitimate uses, which seems precariously absent when talking about technically laughable “security measures” that can be circumvented by pressing F12.


Whoa there. The DMCA is not “copyright protection”. The DMCA is a bunch of additional obnoxious protections on top of copyright.


But the trick is to put a crap lock around both something that can be copyrighted but is unimportant and things that cannot be copyrighted.

Now all legal uses of everything behind that lock are illegal for circumvention reasons.

It's a way to apply the DMCA to literally anything digital. The quality of the software doesn't matter, because it isn't for security, just a legal hack.


The fact that youtube wants people to come back to the site and use servers, miles of wires, electricity, network machinery instead of letting them download videos so they can watch them from thumbdrive just says to me this company is unethical and harms environment. Any business model that forces people to be on the network without any reason other than greed, should be illegal. If you can stream the file, download option should be mandatory by law.


People forget that Youtube is a _business_. The reason they maintain all of those servers and network machinery is to serve ads, otherwise why would they provide that service for free?


Once you download a video, you don't need their service anymore to watch it again. But they want you to remain dependent on them.


No. But they shouldn't harm environment. If business is harmful then should be illegal.


Well that's a pretty simplistic view.


That doesn't mean there isn't some truth to it. ;)


How is it possible to legislate electricity caps on google, according to some imagined threshold of "harm to environment"? Sounds like the number of lawyers involved would be the real harm in this scenario.


Company will have to justify what is their business need for particular use of electricity.


All businesses run on financial incentives (or what you call 'greed'). How is it possible that profit motive and associated laws that facilitate buying/selling be written off as unethical?


There is a "Download" button in the mobile Youtube apps (if you're paying for Youtube Premium).


Except it doesn't give you the actual file, it's still only playable offline through the app (unless you have root I guess).


I have YT premium and an android phone so I checked this out. It looks like they don't store a single mp4 or anything and instead store it in chunks. I am not sure though if they are actually encrypted and stored using some sort of copy protection or if you could assemble the pieces into a single video using some algorithm without a special key.


I would guess it’s similar to the chunking they do when streaming in the first place. Assembling the pieces is one of the main functions of youtube-dl.


Youtube does have a "download" feature in YouTube studio. Where you can download a heavily compressed version of any video you've uploaded. But only videos you've uploaded.


IANAL IANAT yet the video I am watching isn't being stored in my browser?


The data obviously must make it to your computer. A distinction that can be made is whether it is possible/easy to use it separately, outside of YouTube.


They come as regular media files, the chunking would cause issues for most people but it's easy to view. I don't think difficulty is what is important though, what matters is if they were to need some kind of decrypter from the copyright holder.


> Also, does the fact that YouTube doesn't supply a download feature constitute a "technical protection measure"?

The law is so vague on this point so as to include practically anything. Here is the text:

> a technological measure “effectively controls access to a work” if the measure, in the ordinary course of its operation, requires the application of information, or a process or a treatment, with the authority of the copyright owner, to gain access to the work.


> Also, does the fact that YouTube doesn't supply a download feature constitute a "technical protection measure"?

an actual court in germany ruled that: https://openjur.de/u/2194436.html

sadly german only. lots of fud and hamburg is often pro copyright owner. not sure if that would hold at the highest instance.


The decisions of a German court would have no impact on a US court.


As mentioned in the notice, the RIAA is specifically claiming youtube-dl's deobfuscation of youtube's request signatures is what's infringing, which a german court ruled to be an effective technological protection measure.


I seriously doubt they read the source code.


> It could just as easily be that a download feature doesn't exist because YouTube wants you to keep returning to their site if you want to rewatch a video.

Lets be clear though - the only reason copyrighted material is allowed on Youtube is because the owners then grant a license for the content in exchange for ad revenue. Offering a download link severly damages the "owners are paid for their content" part of the equation.


This is true and still applies in the case where you pay for YouTube Premium. Even if you use YouTube Premium you are also helping pay the content creators [1]

> # How YouTube Premium supports creators.

> Creators are the heart and soul of YouTube. To make sure they're compensated for their work, we share ad revenue with them when you watch ads on YouTube. If you're a YouTube Premium member, you won't see ads, so we share your monthly membership fee with creators. Best of all, the more videos you watch from your favorite creators, the more money they make.

So, to reply to the gp you technically aren’t just paying “evil” and “greedy” big corps, but your also helping all the YouTubers.

[1]: https://support.google.com/youtube/answer/7060016?hl=en


The button doesn't exist, but apparently they do have a link that lets you download the video, it is just obfuscated. <https://news.ycombinator.com/item?id=24874277>


You are able to download YouTube videos on your phone, if you subscribe to YouTube premium. I haven’t made any deep investigation of this but I kinda assume the videos are protected by DRM.


>Also, does the fact that YouTube doesn't supply a download feature constitute a "technical protection measure"?

Yes, they have some sort of DRM, albeit a very weak one.


Last I checked normal youtube videos are just a MPEG-DASH/HLS stream, with no DRM.

What youtube-dl essentially does is reading the playlist and concatenating chunks together, there is no DRM circumvention here.


Sure, but the URL that needs to be requested is encrypted even if the stream itself is not.


It's no more encrypted than any other https resource. What is the argument you are trying to make?


My argument is that the URL address for the HLS stream you access is not in clear text in the html code youtube sends you. Javascript code is executed to decode it (which changes constantly, hence the need for youtube-dl to be updated constantly) and that is a form of DRM which youtube-dl breaks.


That's not DRM, and not encryption as you originally said. DRM would be something like https://en.wikipedia.org/wiki/Encrypted_Media_Extensions.


Anything that limits your choices of what to do with some contents is DRM. It does not matter how naive it is. Even product keys are considered DRM.

I would also argue that something that is ciphered and then deciphered is encrypted.


In that case every OSS project is in some way DRM:ed since they require a compiler, interpreter or some specific instruction set to run. That is not at all how the term DRM is used, and if you want to think of it that way you should also know that when speaking to others they have another definition of what DRM is.

As I said it is as encrypted (no less, no more) as all other https traffic. Please note that normal https does no verification of the client, the client verifies the server not the other way around (client verification is of course possible but almost no public sites use it). So the encryption in this case verifies that the content comes from youtube or other sites that it supports but youtube itself does no attempt at verification of the client. This is in contrast to real DRM where the content is encrypted in such a way that it is hard to decode it without running the Content Decryption Module, which are proprietary plugins and that can check HDCP and similar ways to only allow playback on "trusted" devices.


The embeded js that YouTube provides gives your browser the link in clear.


Hmm, so maybe it's legally enough if YouTube does have a protection mechanism and the material is copyrighted, even if the protection mechanism isn't necessarily intended to protect copyright?


The entire IP concept is really hard to make sense of with the web: a browser works by making a local copy of a remote resource and then making that local copy available to the user. I don’t see why, from the server’s perspective, the precise client matters: if I use curl + pandoc to read your webpage, is that really meaningfully different from using Firefox or Chrome?


> is that really meaningfully different from using Firefox or Chrome?

In the USA legally it is because the vast majority of the judges that have ruled on these things think anything that isn't a browser is a hacking tool. Using wget is enough to get you thrown in federal prison for accessing public web resources.


> Using wget is enough to get you thrown in federal prison for accessing public web resources.

Example?


Aaron Swartz remains a prominent example. RIP

https://www.newyorker.com/tech/annals-of-technology/when-pro...

His JSTOR code (below) calls wget: https://osf.io/bnd2h


The crime was not that he used wget, it’s that after he was banned from the service he used a server closet he was not permitted to access to continue downloading. Still bullshit but it’s not even close to wgetting a public resource


Isn’t MIT a public university?

Edit: no, it’s a private land grant university. What kind of socialism is this, anyway? How is this structure even valid, if not for historical precedent?

Nothing against socialism or even my point, really. Just very odd to see how blatantly discriminatory and contradictory this seems to have a private university performing a necessary public service, with free land from the state. Not that the work isn’t well done, or anything. Just bears strict scrutiny.


If I go to a public park and bust open the lock on the utilities shed and mess with the tools, it’s still a crime.


Were those public resources, though?


Nope, you needed to be on the MIT network. He argued that they should be public, which is very much NOT the same thing as actually being public in the eyes of the law.


Nitpick, on page three of the document you posted it states that his script used curl and not wget


I was interpolating, the article implies wget but I didn’t mean to imply I had verified that or anything. I’ll admit I did make a stronger statement than intended and was relying on third party interpretations of the code. Thanks for the clarification!

I think weev may have used wget in his AT&T work where he discovered links or interactions between customer data and iOS in an AT&T subsite?

http://madisonian.net/2013/04/09/academics-go-to-jail-cfaa-e...


So, had he opened a browser and used the javascript console to download everything instead, he would have gotten off scot free?


What's a javascript console? Sounds like a hacker tool, off to prison with him.



Yes. That's what I was thinking of.


United States v. Swartz?


I'm NAL, but familiar with IP law.

My analysis is at https://news.ycombinator.com/item?id=24874277 and I'm broadly skeptical of the legal viability under US law.


I feel like if they'd been more patient, they might have addressed the similarity to the "analog hole."


> a stream the user can view anyways

The true purpose of the DCMA is to control the distributors via the use of tools like DRM.

The fact that you can view music on YouTube at all is something of an anomaly. The recording industry would love to dispense with YouTube entirely if they could.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: