Skip to main content

DRM Non-Aggression on the Table at W3C

March 16, 2016

The World Wide Web Consortium (W3C) will consider adopting a DRM non-aggression covenant at its Advisory Committee meeting in Boston next week. EFF has attended several of these meetings before as a W3C member, always with the intent to persuade the W3C that supporting DRM is a bad idea for the Web, bad for interoperability, and bad for the organization. By even considering Web standards connected with DRM, the W3C has entered an unusually controversial space. Next week's membership meeting will be accompanied by demonstrations organized in Boston by the Free Software Foundation, and other cities where the W3C has a presence.

The W3C responded last week by calling for "real dialog" on how to solve problems together. EFF will be there, once again talking through with our fellow W3C members, the legal, technical and social risks of putting DRM in the heart of the Web.

What's always notable when we have these conversations is how often most of the parties involved converge on just how poor a solution DRM is. The W3C is composed of many thoughtful and experienced engineers and standards writers who know, often through personal experience, how painful digital rights management is to implement, how brittle it is in the face of inevitable attack, how privacy-invasive it can be, how damaging it can be for competition, and how often unpopular it is among consumers. Indeed, it does sometimes seem that if there's one subset of the population who are even more frustrated with DRM than consumers and free software advocates, it is the people who are compelled by rightsholder contract to implement it.

Standards authors, though, also have, through practice, a particularly high tolerance to the pains of tortuous implementation requirements—and an unusually high level of optimism in achieving positive results in the face of such hardship. Our impression is that dominant reason why the W3C (and Tim Berners-Lee, as its tie-breaking Executive Director) has continued to permit DRM to be considered in the HTML working group is their hope that within the W3C, the worst parts of DRM might be tamed. Given a choice between allowing Web-based DRM to be designed outside the W3C, or inside, they have chosen to embrace it in the belief that its risks might be contained, to the benefit of everyone.

For EFF, however, the most damaging parts of DRM can't be fixed through improved technology. DRM's technical flaws have been exacerbated by flawed law. Anti-circumvention statutes in countries across the world compensate for the weaknesses of DRM's protection model with harsh penalties for those who bypass it, even for perfectly reasonable aims. Under these laws overriding DRM, even for lawful purposes, is a civil and criminal offense. Merely explaining to others how you did so may be considered "trafficking".

The end result is that DRM is a black box, a legal booby-trap embedded in more and more devices, which security researchers or those seeking to re-implement for the purposes of interoperability, can neither bypass or even fully discuss without legal risk.

The W3C can't fix that. Even if its most optimistic goals of limiting the dangers of DRM came to pass—by defining strict sandboxing, say, or carefully cabining off its use in other Web standards—W3C standards could still be used to punish security researchers and attempts at interoperability. You can't prosecute a researcher for finding a bug in your browser, or threaten someone for using your Web standard in a lawful way you didn't approve of; but those are the dangers that hang over anyone investigating a DRM implementation.

We still don't think that the W3C should be giving DRM the time it has. But last year, as part of our Apollo 1201 project, we came up with a way to mitigate some of that legal risk. We proposed that W3C adopt a covenant, similar to their long-standing, industry leading patents covenant, under which its members would agree not to bring or join suit against any person, regarding a W3C specification, under laws that regulate the circumvention of technical protection measures.

Our proposal has quickly gathered support inside and outside the W3C. Other members have agreed with us that it should be a condition to continuing the working group tasked with EME. The Open Standards Initiative has taken the proposal and asserted that a standard that touches on DRM isn't really open without similar protections.

The covenant is intended to give an opportunity for the W3C's optimism about the future of the Web to shine through. The W3C's underlying vision is for a world made better by wider participation, knowledge-sharing and trust. A non-aggression pact protecting those exploring standards would serve all of those values, and restore the W3C as a leader in advancing that vision. We encourage the W3C to take this important step, and look forward to making our case in person next week.

JavaScript license information