The World Wide Web Consortium at a Crossroads: Arms-Dealers or Standards-Setters?
The World Wide Web Consortium (W3C) has a hard decision to make: a coalition including the world's top research institutions; organizations supporting blind users on three continents; security firms; blockchain startups; browser vendors and user rights groups have asked it not to hand control over web video to some of the biggest companies in the world. For their part, those multinational companies have asked the W3C to hand them a legal weapon they can use to shut down any use of online video they don't like, even lawful fair use.
Is the W3C in the business of protecting the open web and its users, or is it an arms-dealer supplying multinational companies with the materiel they need to rule the web? We're about to find out.
The W3C makes the open standards that allow anyone to make a browser that can read all the documents on the web, and anyone to make a document that can be read by any of those browsers. But in 2013, the W3C started work on a project to give entertainment companies control over who could make a browser that could show streaming videos, creating a standard for "encrypted media extensions" (EME) that Hollywood would control. Even if you make an EME-capable browser that doesn't violate any copyright laws, it will only show you videos if it also gets the blessing of some of the biggest media companies in the world.
Like all businesses, media companies have a mix of commercial preferences and legal rights. For example, companies have the legal right to prevent people from making and distributing copies of their videos, with important exceptions. The same copyright law that gives them that right also gives you—the viewer—legal rights, like the right to record a video to watch later, or to convert the video to a format that can be enjoyed by blind people. Maybe they'd prefer that you not record videos for later (for example, so they can charge extra for a "home recording" feature), but that's just a preference, not a right.
For decades, media companies have tried to convert their commercial preferences to legal rights, by invoking a 1998 law called the Digital Millennium Copyright Act (DMCA). Section 1201 of the DMCA makes it illegal to bypass software that locks up copyrighted works, even when you're doing something totally legitimate, like converting a video you're allowed to watch so it will play on an unsupported device. Companies design their products so that locking software (called "Digital Rights Management" or DRM) enforces their preferences, then argue that breaking the DRM is illegal, anything that displeases them is therefore a crime.
Companies whose browsers include EME can use DMCA 1201 to threaten competitors—or anyone, really—engaged in legitimate activities that have been vital to the web since day one. They can attack people who are adding features to help visually disabled people; they can attack companies adding legal features like time- and format-shifting; and scariest of all, they can attack security researchers who reveal defects in browsers that put every web user at risk. Security professionals who reveal companies' embarrassing software mistakes are often accused of breaking digital locks, since knowledge of software errors may be used to bypass DRM.
If the W3C approves EME, everything changes. The "open standards" that made the web so vibrant and democratic will only be available to people who promise not to offend the entertainment industry. In fact, the Open Source Initiative—the world's leading body for certifying open standards—has said that EME won't qualify as an open standard at all, a shameful first in the W3C's proud history.
EFF would prefer that the W3C abandon EME altogether. The W3C's job isn't to help companies make up private laws whose enforcement can be outsourced to public courts. When the W3C announced EME, we paid to join the W3C and make this argument from the inside. The W3C sided with the giant companies pushing for DRM in web standards. The W3C told us that we had a problem with the DMCA, not a problem with DRM itself (actually, we have a problem with both).
So we offered a compromise: take the DMCA off the table. Make W3C members promise not to use DMCA 1201 against anyone engaged in legitimate activity—activity that didn't violate copyright or any other law. Let security researchers—not the companies they embarrass—decide when and how to talk about the defects they find. Let accessibility organizations create tools to help people with disabilities. Let innovative companies make lawful products. As far as we can tell, there has never been a case where this would have prevented a legitimate rights-enforcement action. So if the W3C approved our proposal, things would stay exactly as they are: companies could enforce all the rights that Congress gave them, but wouldn't be able to use W3C standards to create new rights for themselves.
Now, the decision is in the W3C's hands. The charter for the EME working group runs out on November 30th, and the major corporations pushing for EME have said that they're done with their major work and ready to have the W3C publish their work without any safeguards against legal abuse.
In October, the W3C polled its members about EME. Dozens of those members spoke loudly and on the public record, demanding that the W3C halt work on EME unless some step is taken to prevent abuse of laws like the DMCA. Those members include:
* The Royal National Institute for Blind People (UK); Media Access Australia and Vision Australia; and Benetech and SSB Bart (USA): three continents' worth of blind-rights advocacy organizations.
EME means that groups like these won't be make tools to adapt video for their specific disabilities (for example, a tool to shift the colors of videos to help color-blind people; or a machine-learning tool that automatically adds descriptive tracks to videos);
* Brave: a new entrant into the browser market.
Companies that are starting out want to offer all legal features to their users, not just the ones that the entertainment companies and old browser companies have decided we should get;
* Oxford University, The Eindhoven University of Technology, Kings College London, The Open University, Lawrence Berkeley Labs, and others, representing some of the world's leading research institutions;
Their researchers can't afford to risk legal retaliation for investigating and reporting on defects in browsers;
* Ripple, Ethereum, Blockstream: three of the world's leading blockchain companies; they were joined by White Ops, a security company run by some of the industry's best-respected experts.
People who understand information security and cryptography are rightly alarmed at the thought of browsers that are off-limits to security researchers who can surface problems before they are exploited and used to attack users and companies alike;
* Hypothes.is and Dublin Core: two leading representatives of the open data/metadata sector.
The web depends on an open platform that anyone can improve, annotate and extend;
* Deutsche Nationalbibliothek: the national library of Germany, charged with archiving all German copyrighted works;
* Vivliostyle: a critical member of the standards community who has contributed significantly to W3C community.
Open standards can't be subject to a veto from a handful of self-interested companies;
* Electronic Frontier Foundation and the Center for Democracy & Technology: user-rights organizations with a long track record of fighting against corporate abuse of the standards-setting process.
Security researchers are alarmed, too. Hundreds of researchers have called on the W3C to protect their work. A group of principal investigators from CSAIL, MIT's computer science department -- which hosts the W3C -- sent a letter to the W3C executive, expressing concern that EME presents a danger to the work of MIT researchers and independent researchers alike, and calling out EME for what it is: a way to put proprietary content on the Web. This group was organized by Hal Abelson, one of the most esteemed computer scientists in the field today.
The W3C itself is deeply divided on this issue. The organization's head of strategy, Wendy Seltzer, publicly called on the organization to protect the web from DMCA abuse; she's joined by leading engineers from the W3C, who signed the security researchers' open letter.
Other web standards bodies, like the Web Hypertext Application Technology Working Group, have condemned the W3C for failing to protect innovators, disabled people and security researchers from the fallout from standardizing DRM.
DRM and the open web are not compatible with one another. The W3C exists to broker consensus among the web's many stakeholders, not to steamroller startups, disabled people, public interest groups, researchers, cryptographers, libraries and the academic and security communities on behalf of giant global corporations.
The other side of this debate argues that the DMCA might not apply to EME, so there's no reason to worry. We say they're wrong. The rules in DMCA 1201 have been spread across the world by the US Trade Representative—Israel is a notable exception, so it's no coincidence that the only security researcher who came forward to announce that Google's EME had been badly broken for six years was Israeli. There isn't a legal authority alive who could promise that people making legitimate changes to browsers with EME have nothing to fear from all these DMCA-alikes.
The stakes are high. We can't afford the gamble that the companies who want EME are right when they say it won't let them abuse the DMCA—if they're so certain that they can't invoke the DMCA over EME, it would cost them nothing to promise never to do so. The fact that they won't make this promise tells you everything you need to know about their assurances.
In the meantime, if you've found vulnerabilities in EME-equipped browsers, we want to know about it. We've been defending people on the front lines of the open internet since 1992.