from the this-is-bad dept
For years now, we've discussed the various problems with the push (led by the MPAA, but with some help from Netflix) to officially add DRM to the HTML 5 standard. Now, some will quibble with even that description, as supporters of this proposal insist that it's not actually adding DRM, but rather this "Encrypted Media Extensions" (EME) is merely just a system by which DRM might be implemented, but that's a bunch of semantic hogwash. EME is bringing DRM directly into HTML and killing the dream of a truly open internet. Instead, we get a functionally broken internet. Despite widespread protests and concerns about this, W3C boss (and inventor of the Web), Tim Berners-Lee, has signed off on the proposal. Of course, given the years of criticism over this, that signoff has come with a long and detailed defense of the decision... along with a tiny opening to stop it.
There are many issues underlying this decision, but there are two key ones that we want to discuss here: whether EME is necessary at all and whether or not the W3C should have included a special protection for security researchers.
First, the question of whether or not EME even needs to be in HTML at all. Many -- even those who dislike DRM -- have argued that it was kind of necessary. The underlying argument here is that certain content producers would effectively abandon the web without EME being in HTML5. However, this argument rests on the assumption that the web needs those content producers more than those content producers need the web -- and I'm not convinced that's an accurate portrayal of reality. It is fair to note that, especially with the rise of smart devices from phones to tablets to TVs, you could envision a world in which the big content producers "abandoned" the web and only put their content in proprietary DRM'd apps. And maybe that does happen. But my response to that is... so what? Let them make that decision and perhaps the web itself is a better place. And plenty of other, smarter, more innovative content producers can jump in and fill the gaps, providing all sorts of cool content that doesn't require DRM, until those with outdated views realize they're missing out. Separately, I tend to agree with Cory Doctorow's long-held view that DRM is an attack on basic computing principles -- one that sets up the user as a threat, rather than the person who owns the computer in question. That twisted setup leads to bad outcomes that create harm. That view, however, is clearly not in the majority, and many people admitted it was a foregone conclusion that some form of EME would move forward.
The second issue is much more problematic. A bunch of W3C members had made a clear proposal that if EME is included, there should be a covenant that W3C members will not sue security researchers under Section 1201 of the DMCA should they crack any DRM. There is no reason not to support this. Security researchers should be encouraged to be searching for vulnerabilities in DRM and encryption in order to better protect us all. And, yet, for reasons that no one can quite understand, the W3C has rejected multiple versions of this proposal, often with little discussion or explanation. The final decision from Tim Berners-Lee on this is basically "sure a covenant not to sue would have been nice, and we think companies shouldn't sue, but... since this wasn't raised at the very beginning, we're not supporting it":
We recommend organizations involved in DRM and EME implementations ensure proper security and privacy protection of their users. We also
recommend that such organizations not use the anti-circumvention
provisions of the Digital Millennium Copyright Act (DMCA) and similar laws around the world to prevent security and privacy research on the specification or on implementations. We invite them to adopt the proposed best practices for security guidelines [7] (or some variation),
intended to protect security and privacy researchers. Others might advocate for protection in public policy fora – an area that is outside the scope of W3C which is a technical standards organization. In addition, the prohibition on "circumvention" of technical measures to protect copyright is broader than copyright law's protections against infringement, and it is not our intent to provide a technical hook for those paracopyright provisions.
Given that there was strong support to initially charter this work
(without any mention of a covenant) and continued support to
successfully provide a specification that meets the technical
requirements that were presented, the Director did not feel it
appropriate that the request for a covenant from a minority of Members
should block the work the Working Group did to develop the specification
that they were chartered to develop. Accordingly the Director overruled these objections.
This is unfortunate. What's bizarre is that the supporters of DRM basically refuse to discuss any of this. Even just a few days ago, the Center for Democracy and Technology proposed a last-ditch "very narrow" compromise to protect a limited set of security and privacy researchers (just those examining implementations of w3C specifications for privacy and security flaws.) Netflix flat out rejected this compromise saying that it's "similar to the proposal" that was made a year ago. Even though it's not. It was more narrowly focused and designed to respond to whatever concerns Netflix and others had.
The problem here seemed to be that Netflix and the MPAA realized that they had enough power to push this through without needing to protect security researchers, and just decided "we can do it, so fuck it, let's do it." And Tim Berners-Lee -- who had the ability to block it -- caved in and let it happen. The whole thing is a travesty.
Corry Doctorow has a thorough and detailed response to the W3C's decision that pushes back on many of the claims that the W3C and Berners-Lee have made in support of this decision. Here's just part of it:
We're dismayed to see the W3C literally overrule the concerns of its public interest members, security experts, accessibility members and innovative startup members, putting the institution's thumb on the scales for the large incumbents that dominate the web, ensuring that dominance lasts forever.
This will break people, companies, and projects, and it will be technologists and their lawyers, including the EFF, who will be the ones who'll have to pick up the pieces. We've seen what happens when people and small startups face the wrath of giant corporations whose ire they've aroused. We've seen those people bankrupted, jailed, and personally destroyed.
This was a bad decision done badly, and Tim Berners-Lee, the MPAA and Netflix should be ashamed. The MPAA breaking the open internet I can understand. It's what that organization has wanted to do for over a decade. But Netflix should be a supporter of the open internet, rather than an out and out detractor.
As Cory notes in his post, there is an appeals process, but it's never been used before. The EFF and others are exploring it now, but it's a hail mary process at this point. What a shame.
Filed Under: circumvention, copyright, dmca, drm, eme, html, html 5, research, security, tim berners-lee
Companies: mpaa, netflix, w3c