Standards Are Only Open If They Protect Security and Interoperability
The Open Source Initiative, a nonprofit that certifies open source licenses, has adopted an important principle about standards, DRM, and openness, and just in time, too.
The World Wide Web Consortium (W3C), which makes the core standards that the Internet runs on, is in the midst of a long, contentious effort to add "DRM" (Digital Rights Management1) to HTML5, the next version of the Web. Laws like the Digital Millennium Copyright Act (which has analogs all over the world) give companies the power to make legal threats against people engaged in important, legitimate activities. Because the DMCA regulates breaking DRM, even for legal reasons, companies use it to threaten and silence security researchers who embarrass them by pointing out their mistakes, and to shut down competitors who improve their products by adding legitimate features, add-ons, parts, or service options. The Web relies on the distributed efforts of independent security researchers, and its historic strength has been the ability of companies and individuals to innovate without permission, even when they were disrupting an existing business.
We tried to dissuade the W3C from adopting DRM, but failed. Now we're on to Plan B, a proposal modelled on the W3C's existing policies, which asks companies to promise not to sue security researchers or competitors for the mere act of breaking DRM. Companies still can sue anyone who hacks their users, violates their copyrights, or interferes with their service -- but they have to use laws specific to those activities. We call it a non-aggression covenant, and by signing it, companies only give up the right to sue people who've done nothing wrong. The covenant doesn't interfere in any way with all the rights companies get under other copyright laws, torts and trade secret laws.
No one's ever tried anything like this, because no open standards body like the W3C has ever tried to standardize something as divisive as DRM. Our solution is a new one, but it's also a good one.
Today, the Open Source Initiative validated our approach. They adopted a set of "Principles of DRM Nonaggression for Open Standards," based on our proposal to the W3C, telling standards bodies that their work can only be called "open" under OSI's definition if they take steps to protect implementers and security researchers:
An "open standard" must not prohibit conforming implementations in open source software. (See Open Standards Requirement for Software).
When an open standard involves content restriction technology commonly known as Digital Rights Management (DRM)—either directly specifying an implementation of DRM or indirectly consuming or serving as a component within DRM technology—the laws in some jurisdictions against circumvention of DRM may hinder efforts to develop open source implementations of the standard. In order to make open source implementations possible, an open standard that involves DRM needs an agreement from the standards body and the authors of the standard not to pursue legal action for circumvention of DRM. Such an agreement should grant permission to:
- circumvent DRM in implementations of the open standard
- distribute implementations of the open standard, even if the implementation modifies some details of the open standard
- perform security research on the open standard or implementations of the open standard, and publish or disclose vulnerabilities discovered
We are deeply appreciative of the OSI's support for this approach. The core standards of the Internet are on a collision course with a notoriously bad law, and with their help, we may be able to steer it clear of the worst danger.
- 1. Or Digital Restrictions Management