[SOLVED] Is DRM clearkey supposed to protect video from being recorded?

Is DRM clearkey supposed to protect video from being recorded?

I am testing DRM with clearkey scheme using this Dash.js example: https://reference.dashif.org/dash.js/nightly/samples/drm/clearkey.html. I found that while the video can be played with the correct key configured, it does not prevent recording or screen capturing. I wonder if this is a supposed behavior, or I can config the player somewhere to make it possible to blackout the screen when being screenshot.

I found https://github.com/google/ExoPlayer/issues/8531 being a relevant question but targets to the Android platform.

Solution

_{If you'll permit me to slightly rephrase your question...}

Is ClearKey DRM supposed to protect video from being recorded?

No; ClearKey DRM is not concerned with enforcing output-protections, but not because it can't (because it technically can), but because (in my opinion) it's simply out-of-scope for them: ClearKey is not a CDM; the browser/hardware/device brings the CDM (with the power to force people to suffer 1990s composite video), whereas ClearKey is only concerned with encrypting the DASH (Dynamic Adaptive Streaming-over-HTTP) envelope of the video stream and delegating everything else to the browser/platform/player.

Interestingly, ClearKey's readme says that they want to fill the gap between (minimally-protected) token-auth based HLS stream requests and the excesses of full-fat DRM schemes that ultimately only hurt legitimate consumers:

https://github.com/Dash-Industry-Forum/ClearKey-Content-Protection/blob/master/README.md

[...] To fill this gap and to provide a level of content protection between HTTPS-delivered token auth and DRM, we propose ClearKey Content Protection (CCP).

As for disabling screenshots and all that other customer-hostile stuff advanced by truly rephrensible people, that's all provided by the CDM, which (we're told) should not necessarily be considered separate or distinct from the web-browser itself, or even the user's entire computing platform - considering that Chrome and Widevine are ultimately still dependent upon Windows, macOS, and Android's own DRM abilities:

"CDM may use or defer to platform capabilities"
Windows' compositing window-manager provides the ability for userland applications to prevent users taking screenshots.
- ...and Windows' Protected Media Path provides a way for computers to have some kind of hardware-level protection and output restrictions.

(Warning: pontification time):

I'm unsure what value ClearKey actually has, considering their document describes how the user's browser is able to obtain the video's decryption key in plaintext via a HTTPS request that anyone could intercept using their browser's devtools - or just any competent TLS-capable proxy - so ClearKey's success entirely depends on browser-vendors pinkie swearing not to expose the decryption key to their users.

Ultimately, it fails the "YouTubeDownloader-Test" as far as I can tell; that is to say that there's very little in ClearKey that would succesfully prevent a YourVideoSiteDownloader-type of program from working.