Why Won't W3C Carve Security Research Out Of Its DRM-In-HTML 5 Proposal?
from the questions-to-ponder dept
A few years back, we wrote a few stories about the unfortunate move by the W3C to embrace DRM as a part of the official HTML5 standard. It was doubly disappointing to then see Tim Berners-Lee defending this decision as well. All along this was nothing more than a focus by the legacy content providers to try to hinder perfectly legal uses and competition on the web by baking in damaging DRM systems. Even Mozilla, which held out the longest, eventually admitted that it had no choice but to support DRM, even if it felt bad about doing so.There are, of course, many problems with DRM, and baking it directly into HTML5 raises a number of concerns. A major one: since the part of the DMCA (Section 1201) makes it infringing to merely get around any technological protection measure -- even if for perfectly legal reasons -- it creates massive chilling effects on security research. To try to deal with this, Cory Doctorow and the EFF offered up something of a compromise, asking the W3C to adopt a "non-aggression covenant," such that the W3C still gets its lame DRM, but that W3C members agree not to go after security researchers.
Who could possibly object to that? But, for whatever reason, the W3C still won't agree to it. Cory and the EFF are looking for security researchers to sign on to tell the W3C to get with the program and to protect security research. They've already got some great names signed on, but if you're in the security research field, please consider signing on as well. Or if you know people in the field, please send them to the EFF asking them to sign on as well.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: drm, html5, security research
Companies: w3c
Reader Comments
Subscribe: RSS
View by: Time | Thread
Take a wild guess...
I believe I'm going to go with 'people who believe that if security researchers aren't allowed to test security, then they don't have to pay for good security', otherwise known as anyone who thinks that 'security by obscurity' is actual security.
[ link to this | view in chronology ]
Am I being paranoid?
[ link to this | view in chronology ]
Re: Take a wild guess...
[ link to this | view in chronology ]
Who could possibly object to that?
And we can thank the MAFIAA for this wonderful DRM debacle. And the security holes they are inserting into otherwise good standards. Because of leprechauns and pixies.
[ link to this | view in chronology ]
Maybe there will be add ons and extensions for this if this gets problematic for security. Just like advertisements.
[ link to this | view in chronology ]
Re: Disabling Digital Restrictions Management support
I believe you can avoid enabling the DRM plugins, but it is not as straightforward as I think it ought to be. Among other problems, Firefox is prone to automatically downloading the DRM plugin for you, whether you like it or not. ("Firefox downloads and enables the Adobe Primetime CDM by default" -- support.mozilla.org: Watch DRM content on Firefox) That page purports to explain how to disable DRM content, but its instructions are wrong for me. I am on a version which is supposed to be affected, but the Preferences dialog it says to use has no sign of the option to disable DRM support.
[ link to this | view in chronology ]
Re: Re: Disabling Digital Restrictions Management support
This reminds me of the people freaking out about ubuntu and the store deal, when all they had to do was disable it or uninstall it.
[ link to this | view in chronology ]
Re:
I don't doubt that there will be addons like NoScript and AdBlock that let you white list websites for DRMed content, and I don't doubt that there will be addons to completely bypass the DRM as well.
I hope the W3C understand what they're getting into. The companies that are requesting DRM in HTML5 will be coming back to the W3C at least once a week to update the DRM because the previous version has been cracked.
[ link to this | view in chronology ]
We Need a New W3C...This One's Broken
[ link to this | view in chronology ]
Re: We Need a New W3C...This One's Broken
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Who?
The major corporations who have overwhelming power over the W3C, that's who.
[ link to this | view in chronology ]
So yeah, I vote for an open wiki to replace the W3C.
[ link to this | view in chronology ]
DRM Could be Used by Terrosits to Hide their Actvities
[ link to this | view in chronology ]
Re: DRM Could be Used by Terrosits to Hide their Actvities
[ link to this | view in chronology ]
Re: Re: DRM Could be Used by Terrosits to Hide their Actvities
That's not DRM. DRM is when the recipient and attacker are the same person.
[ link to this | view in chronology ]
Re: Re: DRM Could be Used by Terrosits to Hide their Actvities
For one thing, DRM schemes exist that use no encryption whatsoever.
[ link to this | view in chronology ]
Re: DRM Could be Used by Terrosits to Hide their Actvities
[ link to this | view in chronology ]
Car analogy
HTML5 = gasoline with sugar in it
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re
First my understanding is that this Recommendation does not actually dictate any DRM, it provides a hole in the specifications labeled "DRM magic happens here". As such browsers could update that hole, keeping ahead of attacks, without breaking compliance. The DRM is actually browser specific.
Also, if as suggested, the intent is to secure WebRTC communications by extending the browser:
1) This is not how it's used (by Netflix) and advertised (by Apple as "HTML5 Premium Video")
2) Hey, while you're writing native code to extend the browser to add encrypted communications, why not create a cross platform GTK application around it? If you do that, you really don't need this standard, and besides HTML5 is mostly a bunch of bloat to me.
[ link to this | view in chronology ]
Re: Re
That's correct. It's also why literally the only argument for why this should be part of the HTML standard is complete bullshit. The argument in favor is that by doing this, browser plugins will no longer be needed to access DRM'd stuff, since it will be standardized.
But that's just a lie -- it will not be standardized. All this does is standardize a brand new plugin system, so everything ends up just as it was without the standard.
Except that HTML is made worse.
[ link to this | view in chronology ]
Re: Re: Re: Disabling Digital Restrictions Management support
People just don't do it, and it should be the developer's responsibility to configure nice, convenient, and secure defaults.
This is important because the loss of privacy isn't an individual's concern but a societal one, and additionally those who value privacy should be able to hide amongst those who don't care.
[ link to this | view in chronology ]
A standard isn't a mandate
I—for one—will look for my browsers to be HTML5 + DRM free. And if that means my browser isn't technically HTML5 compliant, I'm comfortable with that.
[ link to this | view in chronology ]
The answer would be that almost every hacker in the world would claim to be "just researching" when they are caught trying to get around HTML5's DRM sceheme. So once you carve out an exception, everyone will pile in and claim to be exempt.
What I love here is that this is EXACTLY like the Techdirt claims against backdoors in encryption. Once you offer up a backdoor, the bad people will take advantage. Creating an exception in the rules will create the exact back door you have warned us against over and over again.
[ link to this | view in chronology ]
Re:
"The answer would be that almost every hacker in the world would claim to be "just researching" when they are caught trying to get around HTML5's DRM sceheme."
They can claim that, sure, but that doesn't mean their claim will hold up.
If all they were doing is actual research (regardless of the purpose for the research), all is well. If they were actually engaging in nefarious activities, though, then claiming "research" would hardly stand up when the prosecution presents the evidence of the nefarious activities.
[ link to this | view in chronology ]
Re: Re:
You don't understand, we have to magically prevent people from doing the bad things. You can't expect copyright holders to actually take infringers to court after the fact, can you? That would take time, effort, and money!
[ link to this | view in chronology ]
Re: Re:
Imagine someone comes up with a nice little patch to get around the DRM and allow streams to be captured and shared. They found it while doing "research", and they then release a plugin for others to "research" to see if the phenomena is actually easily replicated. By the time you stop the "researcher" the plugin is already in the wild and shared around, and duplicate plugins and such will get released...
Meanwhile, the original "researcher" says that he had no intention of breaking the law, and like DVD replication software, the intent wasn't to pirate anything. So now you have to prove that (a) he wasn't researching, (b) he intended his patch or plug in for piracy and not research.
Simply, you would create ANOTHER level of deniability, which would be a big fail. By the time you get through it all, the DRM is destroyed and the point made moot.
[ link to this | view in chronology ]
Re: Re:
Imagine someone comes up with a nice little patch to get around the DRM and allow streams to be captured and shared. They found it while doing "research", and they then release a plugin for others to "research" to see if the phenomena is actually easily replicated. By the time you stop the "researcher" the plugin is already in the wild and shared around, and duplicate plugins and such will get released...
Meanwhile, the original "researcher" says that he had no intention of breaking the law, and like DVD replication software, the intent wasn't to pirate anything. So now you have to prove that (a) he wasn't researching, (b) he intended his patch or plug in for piracy and not research.
Simply, you would create ANOTHER level of deniability, which would be a big fail. By the time you get through it all, the DRM is destroyed and the point made moot.
[ link to this | view in chronology ]
Re: Re: Re:
So you're actually saying it would be a bad thing that a plaintiff would have to prove that the defendant had nefarious intent. The intent should just be written into the law, and anyone breaking DRM should be punished as though they intended to infringe copyright, whether they did or not.
[ link to this | view in chronology ]
Re: Re: Re: Re:
It would just create another way to excuse bad behavior.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re:
There is no legal action in which a US court requires 100% proof. In a civil action, the burden of proof is preponderance of the evidence.
[ link to this | view in chronology ]
Re: Re: Re:
If that's the point, then the idea is a huge fail from the start. All it will do is make sure that any vulnerabilities found will be in the hands of criminals while making it impossible for the good guys to talk about, or do, anything.
"Meanwhile, the original "researcher" says that he had no intention of breaking the law, and like DVD replication software, the intent wasn't to pirate anything. So now you have to prove that (a) he wasn't researching, (b) he intended his patch or plug in for piracy and not research."
No, you really don't. You just have to prove that he broke the law.
[ link to this | view in chronology ]
Re: Re: Re: Re:
No matter what, there will be security holes. They are unavoidable in modern code (thanks for the proof, Apple!). However, the question is one of ease of distribution and easy of discussion that would lead to widespread use of the holes. A small number of dark web types sharing a patch isn't the same as all users downloading a free patch that disables DRM. Without wide legal distribution, patches generally shouldn't catch on enough to be an issue versus patches to fix them.
"You just have to prove that he broke the law."
Yes, and if the intent isn't to go after people who are breaking the law, where does that leave you? It gets pretty messy when you say "hey, just ignore the law, because, well, we want you to play". The law says don't circumvent, so the solution ends there.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re:
In this case, the two are the same thing. If they can't do it, then they have nothing to talk about. If they do it, then they can't take the legal risk of talking about it.
"No matter what, there will be security holes."
Exactly right, which is why it's important that there be a way to find them.
"The law says don't circumvent, so the solution ends there."
I should have been more specific. What is in dispute is a variation on anticircumvention laws and whether or not they are good things. I maintain they are terrible, counterproductive, and restrict people from doing things that nobody would argue are bad.
So in this context, when I'm talking about breaking the law, I'm not talking about the law we're disputing over, I'm talking about the other laws that are aimed directly at nefarious behavior.
[ link to this | view in chronology ]
Re:
The answer would be that almost every hacker in the world would claim to be "just researching" when they are caught trying to get around HTML5's DRM sceheme.
Yes, why not? Of course said hackers can claim whatever they want but it would be quite hard to sustain it if there's evidence that financial advantage was obtained directly from the flaws and not from disclosing the vulnerabilities so they can be patched.
Creating an exception in the rules will create the exact back door you have warned us against over and over again.
Copyright is already an exception. And you are right, look how thoroughly and regularly it's abused. DRM itself is an abhorrent byproduct of this exception.
[ link to this | view in chronology ]
The solution
Really browsers should have been doing this since about HTML 1.1, but Mozilla went with a "we support everything" model because that is what Redmond did. Which is why the whole world wide web is engineered to be insecure and broken now.
And now that the web is fubar'd, Redmond's forking the whole Internet with Teredo, and leaving Mozilla battered and crying, with it's panties around it's ankles in a dark alley. Pretty much just like every technology they have ever "embraced".
THIS is why you should support open source software.
[ link to this | view in chronology ]