Dear member of the World Wide Web Consortium's Advisory Committee,
You may have heard that over the past year we've been trying to insert legal safeguards into the Encrypted Media Extensions project at the W3C, which standardizes streaming video DRM. We've previously been opposed to the W3C adopting EME, because of the legal issues around DRM, and because DRM requires user agents to obey third parties, rather than their owners.
However, we think that there's a compromise that both DRM advocates and opponents should be able to live with.
I'm writing today to see if you will support us in an upcoming W3C vote on the charter of the Media Extensions Group, where we will be proposing this compromise.
This letter briefly describes briefly the problem, our proposed solution, and what you can do to help.
Our major problem with DRM is legal, not technical. In the USA, section 1201 of the Digital Millennium Copyright Act (DMCA) forbids breaking DRM, even for lawful purposes, and gives companies the legal tools to threaten and silence security researchers who discover defects in their products (because disclosure of a defect might help people break the DRM).
Neither of these legal effects are good for open standards (you don't have to take our word for it).
Giving vendors the power to silence security researchers doesn't make users safer -- it just makes vulns last longer in the wild, exploitable by bad guys (from autocratic state security services to organized crime).
Equally significant in the world of open standards is protecting interoperability. The normal course of things in technology is that one company may make a product that interoperates with another company's products, provided that they don't violate a patent or engage in some other illegal conduct. But once DRM is in the mix, interoperability is only legal with permission.
Here's an example: if the W3C defines a data-type, anyone can make a user-agent that can receive and render that data. The people designing user agents might do things that the people running the servers disapprove of (for example, blocking pop-up ads), but that's not illegal -- so long as you don't break the law, the company serving the data can't dictate how the companies making the clients must handle it.
With EME, and for the first time in W3C history, a protocol is being designed explicitly to allow companies who serve data to use the law to shut down companies that render it, even if they do not infringe copyright. Features as simple as a pause button, or time-shifting, or even changing the gamut to adapt to color blindness can't be undertaken without permission from the companies serving the video, without falling afoul of the DMCA.
Not just the DMCA, either. The US Trade Representative has made adopting DMCA-like anticircumvention rules a condition of trade with the USA in most of the world.
We've proposed a simple solution, patterned after the existing W3C patent policy. The patent policy doesn't take a position on whether patents are good or bad, but it does hold that standards are more open if you don't have to license a patent to implement them, so W3C members are required to promise not to sue others for practicing their patents when implementing W3C recommendations.
Our proposal does the same thing, except for anti-circumvention rights (rather than patents). Members who participate in the Media Extensions Working Group will have to make a legally binding promise not to use anti-circumvention laws to aggress against security researchers or implementers.
All other rights and causes of action -- trade secrecy, copyright, tortious interference, breach of contract -- are intact. We did a survey of US case-law on anti-circumvention and all the cases in our survey could have proceeded even if the private plaintiff was a party to our covenant -- so we're not proposing to take away any of the legal rights businesses are depending on for legitimate business, only for threats and chilling effects.
What We Want From You
The Media Extensions Working Group has had its charter renewed until September, and it's unlikely that EME will be ready to be a recommendation by then. The last charter renewal was controversial, with a diverse group of members objecting to the renewal unless the covenant was made a condition of participation.
For the next extension, we're building a coalition of W3C members who will ask that the charter only be renewed with a mutually agreed-upon covenant as an exit condition.
Will your organization commit to objecting to the renewal in September, unless a nonaggression covenant is added as an exit-condition?
I would love to discuss this further with you, either by email or on the phone, if you prefer. In the meantime, here's some links with more detail:
- History of EME and the covenant at the W3C
- Interoperability use-cases blocked by EME
- Open Source Initiative on covenants in EME-like standards
- Security researchers who support this proposal
Representative to the W3C Advisory Committee for the Electronic Frontier Foundation