A Call to the Security Community: The W3C's DRM Extension Must Be Investigated
The World Wide Web Consortium has published a "Candidate Recommendation" for Encrypted Media Extensions, a pathway to DRM for streaming video.
A large community of security researchers and public interest groups have been alarmed by the security implications of baking DRM into the HTML5 standard. That's because DRM -- unlike all the other technology that the W3C has ever standardized — enjoys unique legal protection under a tangle of international laws, like the US Digital Millennium Copyright Act, Canada's Bill C-11, and EU laws that implement Article 6 of the EUCD.
Under these laws, companies can threaten legal action against researchers who circumvent DRM, even if they does so for lawful purposes, like disclosing security vulnerabilities. Last summer, a who's-who America's most esteemed security researchers filed comments with the US Copyright Office warning the agency that they routinely discovered vulnerabilities in systems from medical implants to voting machines to cars, but were advised not to disclose those discoveries because of the risk of legal reprisals under Section 1201 of the DMCA.
Browsers are among the most common technologies in the world, with literally billions of daily users. Any impediment to reporting vulnerabilities in these technologies has grave implications. Worse: HTML5 is designed to provide the kind of rich interaction that we see in apps, in order to challenge apps' dominance as control systems for networked devices. That means browsers are now intended to serve as front-ends for pacemakers and cars and home security systems. Now more than ever, we can't afford any structural impediments to identification and disclosure of browser defects.
There is a way to reconcile the demands of browser vendors and movie studios with the security of the web: last year, we proposed an extension to the existing W3C policy on patents, which says that members are forbidden from enforcing their patent rights to shut down implementations of W3C standards. Under our proposal, this policy would also apply to legal threats under laws like the DMCA. Members would agree upon a mutually acceptable, binding covenant that forbade them from using the DMCA and its global analogs to attack security researchers who revealed defects in browsers and new entrants into the browser market.
So far, the W3C has rejected this proposal, despite broad support from security and privacy professionals around the world, and despite new evidence of the need to investigate technical flaws in the EME specification. In June, security researchers in Israel and Germany revealed a showstopper bug in Chrome's implementation and promised to look at Firefox, Safari and Edge next.
We will keep working to persuade the W3C to adopt our sensible proposal. In the meantime, we urge the security research community to subject all EME implementations to the closest possible scrutiny. The black hats who are already doing this are not bound by fear of the DMCA, and they are delighted to have an attack surface that white hats are not allowed to investigate in detail.
Even with this handicap, white hats discover serious vulnerabilities. Every discovery proves the need to let researchers examine the full scope of possible security flaws. If you are investigating a system or wish to disclose a flaw and need legal advice, please contact our intake address.