Matt wrote:https://torrentfreak.com/deciphering-yo ... ke-201030/
At TorrentFreak, we have relatively little knowledge about encryption, so it would be impossible for us to bypass this ‘rolling cipher,’ one would think. However, after a few Google searches, we learned that pretty much every browser can do this by default.
Which is really the crux of the issue, as I see it. A rolling cipher is a data transformation technique. That's all. ASCII codes, video compression, ROT-13, etc are also data transformation techniques. To be an effective lock, something more is needed. Something to prevent the cipher from working correctly if it's not authorized.
Essentially what's going on is a client sends an HTTP GET request for a youtube video URL, then the server sends back all the necessary code and information to generate the video URLs to download and play them. A browser uses this to display a page, and download the video for playback in the page, whereas youtube-dl downloads the video without automatic playback and doesn't display a page (and if you say anything accessing a web page has to display it as intended, you're essentially saying ad-blockers and greasemonkey and web debuggers are illegal since they remove elements from or change how the page is displayed, while putting buggy browsers in jeopardy if they have issues causing pages to display incorrectly). Calling this "protection" or a "lock" would be equivalent to a combination lock with the combination written right on it, and expecting only people with freshly cleaned suits to unlock it (without the people walking up to the lock having to agree to anything before touching the lock). If it didn't specify where the videos files are, browsers wouldn't be able to play them, which any of them implementing the appropriate
open web standards can. Is Pale Moon or Konqueror circumventing Youtube's "digital lock"? Is Firefox? Are only Chrome-based programs authorized to access the video URLs? More to the point, "effective technological protection measures" (as required by the DMCA anti-circumvention provision) must be able to, in the absence of anti-circumvention tech, block unauthorized use and allow authorized use. If not, it's by definition not effective protection. Does Youtube do this when a client accesses its servers to request videos? No, IMO.
In contrast, Youtube
does implement DRM on some videos; most notably, movies that you buy, rent, or are temporarily free. Youtube-dl actually can't download those videos, and neither can certain browsers. In this case, Youtube doesn't provide everything necessary to play a video when requesting it, without additional information from the non-free/open DRM module. I'm quite aware of this since my browser can't play even the Free movies they have available, and youtube-dl is not able to download them to play through mpv. For the RIAA to say its videos are sufficiently protected when they don't have this DRM enabled on their videos is laughable. It's telling that the MPAA isn't part of the takedown request, despite also having content up on Youtube.