Why Won't W3C Carve Security Research Out Of Its DRM-In-HTML 5 Proposal?

from the questions-to-ponder dept

Wed, Mar 30th 2016 12:47pm — Mike Masnick

A few years back, we wrote a few stories about the unfortunate move by the W3C to embrace DRM as a part of the official HTML5 standard. It was doubly disappointing to then see Tim Berners-Lee defending this decision as well. All along this was nothing more than a focus by the legacy content providers to try to hinder perfectly legal uses and competition on the web by baking in damaging DRM systems. Even Mozilla, which held out the longest, eventually admitted that it had no choice but to support DRM, even if it felt bad about doing so.

There are, of course, many problems with DRM, and baking it directly into HTML5 raises a number of concerns. A major one: since the part of the DMCA (Section 1201) makes it infringing to merely get around any technological protection measure -- even if for perfectly legal reasons -- it creates massive chilling effects on security research. To try to deal with this, Cory Doctorow and the EFF offered up something of a compromise, asking the W3C to adopt a "non-aggression covenant," such that the W3C still gets its lame DRM, but that W3C members agree not to go after security researchers.

Who could possibly object to that? But, for whatever reason, the W3C still won't agree to it. Cory and the EFF are looking for security researchers to sign on to tell the W3C to get with the program and to protect security research. They've already got some great names signed on, but if you're in the security research field, please consider signing on as well. Or if you know people in the field, please send them to the EFF asking them to sign on as well.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: drm, html5, security research
Companies: w3c

38 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

That One Guy (profile), 30 Mar 2016 @ 11:01am

Take a wild guess...
Who could possibly object to that?

I believe I'm going to go with 'people who believe that if security researchers aren't allowed to test security, then they don't have to pay for good security', otherwise known as anyone who thinks that 'security by obscurity' is actual security.
[ link to this | view in chronology ]
- Anonymous Coward, 30 Mar 2016 @ 1:00pm
  
  Am I being paranoid?
  The FBI want to be able to force companies to write code to their specification, and effective DRM requires code that can control what a computer is doing at a low level, what's not to like about it, if you are a TLA or oppressive government. Therefore the DMCA protects government activity.
  [ link to this | view in chronology ]
- crade (profile), 30 Mar 2016 @ 1:40pm
  
  Re: Take a wild guess...
  How about those that believe that putting in workarounds for the most glaring failures of the system is just hiding the fact that it needs to be fixed?
  [ link to this | view in chronology ]
- Ninja (profile), 31 Mar 2016 @ 4:30am
  
  Who could possibly object to that?
  It's not hard to answer this actually. Just look at how many corporations went ballistics either by shaming the ones revealing bugs and security breaches or dragging them to the courts along with the Government not only willing to throw the entire library of laws on these researches in support of said corporations but also engaging in the same tactics. The examples are there.
  
  And we can thank the MAFIAA for this wonderful DRM debacle. And the security holes they are inserting into otherwise good standards. Because of leprechauns and pixies.
  [ link to this | view in chronology ]
Anonymous Coward, 30 Mar 2016 @ 1:15pm

Would it be possible to add an option to the browser's interface to disable these drm features? Like how you can disable javascript as a security measure?

Maybe there will be add ons and extensions for this if this gets problematic for security. Just like advertisements.
[ link to this | view in chronology ]
- Anonymous Coward, 30 Mar 2016 @ 1:27pm
  
  Re: Disabling Digital Restrictions Management support
  Funny you should mention that. Not that many releases ago, Firefox intentionally removed the UI for disabling Javascript, supposedly on the grounds that too many people were using it to disable Javascript and then wondering why things were broken. I suppose having the browser display a drop-in stating "This page is attempting to use unsafe scripting functionality, which you have disabled. Page functionality may be reduced. Please contact the page author if you find anything is broken." would have been too much trouble.
  
  I believe you can avoid enabling the DRM plugins, but it is not as straightforward as I think it ought to be. Among other problems, Firefox is prone to automatically downloading the DRM plugin for you, whether you like it or not. ("Firefox downloads and enables the Adobe Primetime CDM by default" -- support.mozilla.org: Watch DRM content on Firefox) That page purports to explain how to disable DRM content, but its instructions are wrong for me. I am on a version which is supposed to be affected, but the Preferences dialog it says to use has no sign of the option to disable DRM support.
  [ link to this | view in chronology ]
  - Anonymous Coward, 30 Mar 2016 @ 5:32pm
    
    Re: Re: Disabling Digital Restrictions Management support
    Okay, so about:config is too hard for security conscience people? I'm not saying everyone should be a coder, but knowing how to use the programs that you have should be sort of well given. You can bloody well disable everything including javascript, flash, silverlight, et al...
    
    This reminds me of the people freaking out about ubuntu and the store deal, when all they had to do was disable it or uninstall it.
    [ link to this | view in chronology ]
- Chronno S. Trigger (profile), 30 Mar 2016 @ 3:08pm
  
  Re:
  Fun fact: In Firefox there is a checkbox "Play DRM Content" that's disabled by default.
  
  I don't doubt that there will be addons like NoScript and AdBlock that let you white list websites for DRMed content, and I don't doubt that there will be addons to completely bypass the DRM as well.
  
  I hope the W3C understand what they're getting into. The companies that are requesting DRM in HTML5 will be coming back to the W3C at least once a week to update the DRM because the previous version has been cracked.
  [ link to this | view in chronology ]
Anonymous Coward, 30 Mar 2016 @ 1:38pm

We Need a New W3C...This One's Broken
On the whole, the W3C disclosed its sell-out nature when they dropped ongoing XHTML development in favor of the HTML 5 as a project. The overwhelming commitment to shiny, flashy [not Flash-y], media to the detriment of good software principles made clear the W3C had gone over to the dark-side. The best reply to the W3C would be a ground-swell rejection by developers simply refusing to employ the new doctype when it's released.
[ link to this | view in chronology ]
- Anonymous Coward, 31 Mar 2016 @ 5:47am
  
  Re: We Need a New W3C...This One's Broken
  Good riddance to xhtml. I far prefer the more terse syntax of html over the xml bloat of xhtml. All that bloat adds up on your hosting bill eventually.
  [ link to this | view in chronology ]
Mark Wing, 30 Mar 2016 @ 1:40pm

Yet another organization corrupted to the point that its moral compass points to money. Maybe we need a competing standard to HTML?
[ link to this | view in chronology ]
Anonymous Coward, 30 Mar 2016 @ 2:21pm

We just need to put one of those "This page is insecure!" warnings in the browser every time some DRM content tries to load
[ link to this | view in chronology ]
John Fenderson (profile), 30 Mar 2016 @ 4:10pm

Who?
Who could possibly object to that?

The major corporations who have overwhelming power over the W3C, that's who.
[ link to this | view in chronology ]
Adrian Cochrane (profile), 30 Mar 2016 @ 4:23pm

To be clear, given the way the W3C are structured, the browser vendors (who buy in) write the specs and Berners-Lee acts as king and sign off on these specs when he considers them stable. That means that Hollywood doesn't need to send lobbyists to the W3C, they've already corrupted at least Apple (who like to call this "Premium HTML5 Video") and Google. Besides this "standard" hardly qualifies as one, as it basically is a new <embed> tag where every browser provides their own incompatible DRM (I imagine it's done this way because security by obscurity really is the only way to do DRM).

So yeah, I vote for an open wiki to replace the W3C.
[ link to this | view in chronology ]
Steve R. (profile), 30 Mar 2016 @ 4:48pm

DRM Could be Used by Terrosits to Hide their Actvities
Given all the hysteria over the iPhone, it would seem that DRM needs to be implemented with a back-door so that the government can access the content at will. We don't want the terrorists to hide their communications behind a security wall. Once that "Key" is developed it will escape into the wild, so what will the owners of DRM encumbered equipment actually get in the way of a benefit?
[ link to this | view in chronology ]
- Anonymous Coward, 30 Mar 2016 @ 5:46pm
  
  Re: DRM Could be Used by Terrosits to Hide their Actvities
  Sadly, this was my reasoning behind agreeing with W3C allow DRM plugins. This doesn't necessarily mean a bad thing. DRM is simply an encryption protocol, meaning that it could allow say WebRTC chat rooms to be encrypted through an open source plugin through the W3C's DRM plugin design, but fanatics get their panties in a bunch when you mention DRM. If you want to speak privately with person X than DRM might just be a way to get there, like PGP and private keys. You sign with a public key of the person, and they decrypt with their private key through the plugin and wham we have encrypted communication through gasp *DRM*. The plugin just has to handle the encryption/decryption and the WebRTC format doesn't get bloated with additional code that could very well make it insecure.
  [ link to this | view in chronology ]
  - nasch (profile), 31 Mar 2016 @ 8:38am
    
    Re: Re: DRM Could be Used by Terrosits to Hide their Actvities
    You sign with a public key of the person, and they decrypt with their private key through the plugin and wham we have encrypted communication through gasp *DRM*.
    
    That's not DRM. DRM is when the recipient and attacker are the same person.
    [ link to this | view in chronology ]
  - John Fenderson (profile), 31 Mar 2016 @ 9:22am
    
    Re: Re: DRM Could be Used by Terrosits to Hide their Actvities
    Nasch is right, what you're talking about is public key encryption, not DRM. DRM schemes can use PKE, but it itself is a very different thing.
    
    For one thing, DRM schemes exist that use no encryption whatsoever.
    [ link to this | view in chronology ]
- Anonymous Coward, 30 Mar 2016 @ 5:51pm
  
  Re: DRM Could be Used by Terrosits to Hide their Actvities
  Sorry, on the main topic at hand though, let the hackers go to town, it's good for everyone to have the cat and mouse game. It will always better secure people in the long run.
  [ link to this | view in chronology ]
Anonymous Coward, 30 Mar 2016 @ 5:53pm

Car analogy
HTML = gasoline
HTML5 = gasoline with sugar in it
[ link to this | view in chronology ]
Anonymous Coward, 30 Mar 2016 @ 8:11pm

this is stupid, by baking it in your pretty much guaranteeing that the drm will be broken and stay broken because w3c isnt going to want to fight the constant never ending war to stay one step ahead of people breaking it. protections in silver light and flash have been broken repeatedly and they have to stay on top of it. somehow I dont see the anyone having the same profit motivation to continually patch and upgrade baked in drm. I see this playing out like dvd and blu-ray drm once cracked it will stay cracked for a good long while. which will mean content providers looking for alternative solutions.
[ link to this | view in chronology ]
Adrian Cochrane (profile), 30 Mar 2016 @ 8:59pm

Re
Some comments based on my personal understanding from what I've read about this.

First my understanding is that this Recommendation does not actually dictate any DRM, it provides a hole in the specifications labeled "DRM magic happens here". As such browsers could update that hole, keeping ahead of attacks, without breaking compliance. The DRM is actually browser specific.

Also, if as suggested, the intent is to secure WebRTC communications by extending the browser:
1) This is not how it's used (by Netflix) and advertised (by Apple as "HTML5 Premium Video")
2) Hey, while you're writing native code to extend the browser to add encrypted communications, why not create a cross platform GTK application around it? If you do that, you really don't need this standard, and besides HTML5 is mostly a bunch of bloat to me.
[ link to this | view in chronology ]
- John Fenderson (profile), 30 Mar 2016 @ 10:07pm
  
  Re: Re
  "Recommendation does not actually dictate any DRM, it provides a hole in the specifications labeled "DRM magic happens here"."
  
  That's correct. It's also why literally the only argument for why this should be part of the HTML standard is complete bullshit. The argument in favor is that by doing this, browser plugins will no longer be needed to access DRM'd stuff, since it will be standardized.
  
  But that's just a lie -- it will not be standardized. All this does is standardize a brand new plugin system, so everything ends up just as it was without the standard.
  
  Except that HTML is made worse.
  [ link to this | view in chronology ]
Adrian Cochrane (profile), 30 Mar 2016 @ 9:20pm

Re: Re: Re: Disabling Digital Restrictions Management support
Certainly people should change their defaults to something more private, but they shouldn't have to.
People just don't do it, and it should be the developer's responsibility to configure nice, convenient, and secure defaults.

This is important because the loss of privacy isn't an individual's concern but a societal one, and additionally those who value privacy should be able to hide amongst those who don't care.
[ link to this | view in chronology ]
Dave Cortright (profile), 30 Mar 2016 @ 10:55pm

A standard isn't a mandate
Let the W3C say whatever they want about DRM in HTML5. Heck, they can take a page out of the Microsoft Windows book and require a ham sandwich. But they can't force all browsers to implement all the "requirements".

I—for one—will look for my browsers to be HTML5 + DRM free. And if that means my browser isn't technically HTML5 compliant, I'm comfortable with that.
[ link to this | view in chronology ]
Whatever (profile), 31 Mar 2016 @ 10:11am

One of the biggest problems you run into is the simple question: "who is a security researcher?".

The answer would be that almost every hacker in the world would claim to be "just researching" when they are caught trying to get around HTML5's DRM sceheme. So once you carve out an exception, everyone will pile in and claim to be exempt.

What I love here is that this is EXACTLY like the Techdirt claims against backdoors in encryption. Once you offer up a backdoor, the bad people will take advantage. Creating an exception in the rules will create the exact back door you have warned us against over and over again.
[ link to this | view in chronology ]
- John Fenderson (profile), 31 Mar 2016 @ 10:15am
  
  Re:
  A "security researcher" is anyone who is looking into the security of a thing.
  
  "The answer would be that almost every hacker in the world would claim to be "just researching" when they are caught trying to get around HTML5's DRM sceheme."
  
  They can claim that, sure, but that doesn't mean their claim will hold up.
  
  If all they were doing is actual research (regardless of the purpose for the research), all is well. If they were actually engaging in nefarious activities, though, then claiming "research" would hardly stand up when the prosecution presents the evidence of the nefarious activities.
  [ link to this | view in chronology ]
  - nasch (profile), 31 Mar 2016 @ 10:26am
    
    Re: Re:
    If they were actually engaging in nefarious activities, though, then claiming "research" would hardly stand up when the prosecution presents the evidence of the nefarious activities.
    
    You don't understand, we have to magically prevent people from doing the bad things. You can't expect copyright holders to actually take infringers to court after the fact, can you? That would take time, effort, and money!
    [ link to this | view in chronology ]
  - Whatever (profile), 31 Mar 2016 @ 1:42pm
    
    Re: Re:
    " claiming "research" would hardly stand up when the prosecution presents the evidence of the nefarious activities."
    
    Imagine someone comes up with a nice little patch to get around the DRM and allow streams to be captured and shared. They found it while doing "research", and they then release a plugin for others to "research" to see if the phenomena is actually easily replicated. By the time you stop the "researcher" the plugin is already in the wild and shared around, and duplicate plugins and such will get released...
    
    Meanwhile, the original "researcher" says that he had no intention of breaking the law, and like DVD replication software, the intent wasn't to pirate anything. So now you have to prove that (a) he wasn't researching, (b) he intended his patch or plug in for piracy and not research.
    
    Simply, you would create ANOTHER level of deniability, which would be a big fail. By the time you get through it all, the DRM is destroyed and the point made moot.
    [ link to this | view in chronology ]
  - Whatever (profile), 31 Mar 2016 @ 1:42pm
    
    Re: Re:
    " claiming "research" would hardly stand up when the prosecution presents the evidence of the nefarious activities."
    
    Imagine someone comes up with a nice little patch to get around the DRM and allow streams to be captured and shared. They found it while doing "research", and they then release a plugin for others to "research" to see if the phenomena is actually easily replicated. By the time you stop the "researcher" the plugin is already in the wild and shared around, and duplicate plugins and such will get released...
    
    Meanwhile, the original "researcher" says that he had no intention of breaking the law, and like DVD replication software, the intent wasn't to pirate anything. So now you have to prove that (a) he wasn't researching, (b) he intended his patch or plug in for piracy and not research.
    
    Simply, you would create ANOTHER level of deniability, which would be a big fail. By the time you get through it all, the DRM is destroyed and the point made moot.
    [ link to this | view in chronology ]
    - nasch (profile), 31 Mar 2016 @ 1:56pm
      
      Re: Re: Re:
      So now you have to prove that (a) he wasn't researching, (b) he intended his patch or plug in for piracy and not research.
      
      So you're actually saying it would be a bad thing that a plaintiff would have to prove that the defendant had nefarious intent. The intent should just be written into the law, and anyone breaking DRM should be punished as though they intended to infringe copyright, whether they did or not.
      [ link to this | view in chronology ]
      - Whatever (profile), 31 Mar 2016 @ 7:28pm
        
        Re: Re: Re: Re:
        Again, the problem is that you increase the burden substantially by requiring proof of intent. If you cannot 100% prove intent, then the patch is out there in the hands of people who do have bad intent, and the game becomes whack a mole.
        
        It would just create another way to excuse bad behavior.
        [ link to this | view in chronology ]
        
        nasch (profile), 31 Mar 2016 @ 8:36pm
        
        Re: Re: Re: Re: Re:
        If you cannot 100% prove intent...
        
        There is no legal action in which a US court requires 100% proof. In a civil action, the burden of proof is preponderance of the evidence.
        [ link to this | view in chronology ]
    - John Fenderson (profile), 31 Mar 2016 @ 2:38pm
      
      Re: Re: Re:
      First of all, no amount of law against research will stop people from probing it to find the vulnerabilities. Further, any cracks made by bad actors will be distributed just as widely as if such a law didn't exist.
      
      If that's the point, then the idea is a huge fail from the start. All it will do is make sure that any vulnerabilities found will be in the hands of criminals while making it impossible for the good guys to talk about, or do, anything.
      
      "Meanwhile, the original "researcher" says that he had no intention of breaking the law, and like DVD replication software, the intent wasn't to pirate anything. So now you have to prove that (a) he wasn't researching, (b) he intended his patch or plug in for piracy and not research."
      
      No, you really don't. You just have to prove that he broke the law.
      [ link to this | view in chronology ]
      - Whatever (profile), 31 Mar 2016 @ 7:32pm
        
        Re: Re: Re: Re:
        They can talk about it, they just can't do it.
        
        No matter what, there will be security holes. They are unavoidable in modern code (thanks for the proof, Apple!). However, the question is one of ease of distribution and easy of discussion that would lead to widespread use of the holes. A small number of dark web types sharing a patch isn't the same as all users downloading a free patch that disables DRM. Without wide legal distribution, patches generally shouldn't catch on enough to be an issue versus patches to fix them.
        
        "You just have to prove that he broke the law."
        
        Yes, and if the intent isn't to go after people who are breaking the law, where does that leave you? It gets pretty messy when you say "hey, just ignore the law, because, well, we want you to play". The law says don't circumvent, so the solution ends there.
        [ link to this | view in chronology ]
        
        John Fenderson (profile), 1 Apr 2016 @ 6:49am
        
        Re: Re: Re: Re: Re:
        "They can talk about it, they just can't do it."
        
        In this case, the two are the same thing. If they can't do it, then they have nothing to talk about. If they do it, then they can't take the legal risk of talking about it.
        
        "No matter what, there will be security holes."
        
        Exactly right, which is why it's important that there be a way to find them.
        
        "The law says don't circumvent, so the solution ends there."
        
        I should have been more specific. What is in dispute is a variation on anticircumvention laws and whether or not they are good things. I maintain they are terrible, counterproductive, and restrict people from doing things that nobody would argue are bad.
        
        So in this context, when I'm talking about breaking the law, I'm not talking about the law we're disputing over, I'm talking about the other laws that are aimed directly at nefarious behavior.
        [ link to this | view in chronology ]
- Ninja (profile), 1 Apr 2016 @ 8:53am
  
  Re:
  Who? Anybody looking for security issues without using them for criminal activity (ie: taking financial advantage, holding machines hostage etc). It's actually very simple. If I have a gun but I don't use it to rob or murder people then I'm not a criminal. Simple as that.
  
  The answer would be that almost every hacker in the world would claim to be "just researching" when they are caught trying to get around HTML5's DRM sceheme.
  
  Yes, why not? Of course said hackers can claim whatever they want but it would be quite hard to sustain it if there's evidence that financial advantage was obtained directly from the flaws and not from disclosing the vulnerabilities so they can be patched.
  
  Creating an exception in the rules will create the exact back door you have warned us against over and over again.
  
  Copyright is already an exception. And you are right, look how thoroughly and regularly it's abused. DRM itself is an abhorrent byproduct of this exception.
  [ link to this | view in chronology ]
Anonymous Coward, 31 Mar 2016 @ 2:47pm

The solution
is to run an RBL that indexes DRM enabled content, and let the browser throw a 400 error.

Really browsers should have been doing this since about HTML 1.1, but Mozilla went with a "we support everything" model because that is what Redmond did. Which is why the whole world wide web is engineered to be insecure and broken now.

And now that the web is fubar'd, Redmond's forking the whole Internet with Teredo, and leaving Mozilla battered and crying, with it's panties around it's ankles in a dark alley. Pretty much just like every technology they have ever "embraced".

THIS is why you should support open source software.
[ link to this | view in chronology ]