that's how understood it as well:

"youtube-dl stands in place of a Web browser and performs a similar function with respect to user-uploaded videos. Importantly, youtube-dl does not decrypt video streams that are encrypted with commercial DRM technologies, such as Widevine, that are used by subscription video sites, such as Netflix."

"We presume that this “signature” code is what RIAA refers to as a “rolling cipher,” although YouTube’s JavaScript code does not contain this phrase. Regardless of what this mechanism is called, youtube-dl does not “circumvent” it as that term is defined in Section 1201(a) of the Digital Millennium Copyright Act, because YouTube provides the means of accessing these video streams to anyone who requests them. As federal appeals court recently ruled, one does not “circumvent” an access control by using a publicly available password. Circumvention is limited to actions that “descramble, decrypt, avoid, bypass, remove, deactivate or impair a technological measure,” without the authority of the copyright owner."

Right, but the law makes no mention of secret keys, it just says you can't go around anything that controls access to a copyright work; and you can't provide tools to do so. The actual legal definition of tools covers both actual technical purpose as well as marketed purpose. Rebranding, say, OBS as "Recorder for YouTube" and talking about how you can use it to get around YouTube's downloading protections by screencapping the entire video would possibly constitute a 1201 violation.

There's also another question of law, though: does 1201 apply when only the intent of the DRM has been circumvented, as opposed to it's technical scope? In other words, does pointing a camera at a monitor constitute circumvention of DRM under section 1201? Most DRM can't actually validate, say, that a human is watching instead of a camcorder. (Let's ignore pesky things like Cinavia which are more akin to post-piracy frustration techniques, and easily circumvented with any kind of Free media player.) Likewise, YouTube's rolling cipher can't really validate that it's not sitting inside of an instrumented browser that will dump whatever URLs it grabs. Our hypothetical OBS rebrand wouldn't actually be a 1201 violation unless the law specifically covers things that DRM can't technically enforce but would like to.

I called this a couple of times[1][2] so it is nice to finally see someone else make this argument. It seems obvious to me.

[1]: https://news.ycombinator.com/item?id=25006577

[2]: https://news.ycombinator.com/item?id=24997072

If a program had its own implementation of widevine, why wouldn't you also be "effectively a web browser" ?

I wonder if the RIAA will now be putting pressure on YouTube to use the same DRM as Netflix, so that when a video is downloaded they can’t use this ‘it’s just a browser guv’ defence because there would then have to be some circumvention to make it work.

That's a DMCA argument (I'm not hacking).

But it doesn't really work: If you protect your house with no lock, not even a door, but just a little rope with a sign on: "Do not jump over or duck under this ribbon, or cut it!", that's, for the DMCA, enough - so you get into fun games where you claim that, say, a long random unique key that is right there in the HTML youtube.com serves which links to the video is a 'security measure' and that 'I shall read the URLs in this <video> tag and download what I find there instead of showing it on the screen' is 'circumventing this'.

How far can you stretch the meaning of 'circumventing access-control measures' before, in court, you lose your argument? I don't think anybody quite knows yet, but surely github doesn't want to be on the hook for it without microsoft's legal team and management signing off on the risk.

Furthermore, separate from DMCA's hacking provisions, there is simply the concept of who is responsible for any copyright infringement caused by stuff github hosts. As per 17 USC §512 (the so-called 'safe harbor provision'), the idea of claiming 'hey I just host this stuff, I'm not responsible for this, why dont you take it up with whomever uploaded this' is codified: You can do that, but it does mean that you _MUST_ take down the content in response to a takedown notice, and if you don't, then you are now liable any infringement that content makes.

The idea is that the owner of the data files a counterclaim notice, at which point the hoster (github) is free to re-host everything without opening itself up to liability, but only if, as per 17 USC §512, they do so 'no less than 10 days and no more than 14', and github did it in 1 day, so whoopsie there I guess.

At that point it does turn into a fight between claimer and counterclaimer: The idea behind those 10 days is that the supposed real content owner can then go file in court against the counterclaimer; merely filing a lawsuit is enough: Show that to the hoster (github), and they can no longer re-enable the content without then being liable for infringement by doing so.

You can't file a counterclaim until your content is removed.

Yeah, that means an utter bozo can take your content down for at least 10 days and there is nothing you can do about this. The DMCA is not particularly well designed in this manner (it doesn't protect against trolly crud well, and getting a barratry verdict in the US is borderline impossible). But that's how it works.

In github's shoes, the fact that youtube-dl doesn't infringe is relevant only insofar that they are willing to ride that notion allllll the way to the gavel in the ensuing court case, because they will be defendants if they ignore the takedown request. Presumably they weren't going to just do that without at least a close look by microsoft's legal team, and a signoff from the big wigs for the likely millions this will cost, given that US law in these matters is... well, have you ever seen one of those shows where 2 people are on a beam and trying to knock the other one off with a giant q-tip? US law is like that, except the ends of the q-tips are moneybags.