The latest episode of the technology podcast Reply All features an excellent summary of some of the issues with the World Wide Web Consortium's current project to create a standard for restricting the use of videos on the web; we've created this post for people who've just listened to the episode and want to learn more.

What's going on?

The World Wide Web Consortium (W3C) is a standards body: they work to create open standards, rules for connecting up the web that anyone can follow, guaranteeing that anyone can make a web browser, web server, or website.

In 2013, the W3C gave in to pressure from a few entertainment companies and big tech companies to make a new kind of standard: a standard for limiting how people could use the videos that they watched in their browser. These controlling technologies are called "Digital Rights Management" (DRM), and the W3C's DRM standard is called "Encrypted Media Extensions" (EME).

What is EME for?

That's a good question! The companies that want EME say that they need it to prevent copyright infringement. But long experience with DRM has shown, time and again, that it's just not hard to bypass these systems, and once one person figures out how to do that, they can upload un-DRMed versions of the videos to websites where people who want to violate copyright can go (the host of the Reply All episode explains right at the start that he does this when he can't get DRM to work).

If DRM is about preventing piracy, it's not doing a very good job.

OK, so what is EME for then?

We think the real story here isn't the technology, it's the law.

In 1998, Congress passed the Digital Millennium Copyright Act (DMCA), which includes an "anti-circumvention" rule that sets out very harsh penalties for tampering with DRM, and is worded so badly and broadly that it has been used to threaten, sue and even jail people who break DRM, even for a lawful reason.

When DRM is deployed, it's never limited solely to preventing people from violating copyright law -- it also stops people from doing things that copyright law permits, but that companies don't like. Companies have all kinds of wishes about how their customers would use their products, but those are just wishes, not law. But when companies use DRM to enforce those wishes, they can turn them into law, because breaking the DRM is against the law.

Take Netflix, one of the companies really eager to see DRM added to browsers. Netflix started out by mailing DVDs to its customers, something the movie studios hated. But Netflix bought those DVDs fair and square, and even though the copyright holders behind those discs didn't want Netflix to mail them around, those wishes were not laws, and so Netflix got to grow into the service we all use today.

Today's Netflix has wishes, too: they want to stop you from recording your Netflix streams to watch later, or to move onto other devices. Those are just wishes too -- the same copyright law that makes DVRs and VCRs legal apply to Netflix streams too. But once Netflix uses EME to prevent you from doing this stuff, it can treat its wishes as laws -- and demand that you do the same.

Are you sure this is just about laws?

Pretty sure, yup! Just to double-check, EFF proposed a solution that would cleanly separate the technology from the broad powers that corporations get from DMCA 1201. Under our proposal, W3C members would agree that they could only use DMCA 1201 to stop people from doing something that was already illegal, like movie piracy.

More than 40 W3C members support this proposal, but the companies that want DRM won't hear of it, and last week, the W3C's Director signaled that he wouldn't listen to the members who want this -- rather, he'll let the W3C be turned into an organization where big companies go to get new avenues for legal control, instead of new technologies.

What will EME mean for the web?

Once a company uses DRM in its product, it can threaten anyone who opens up that product in ways they don't like. The exact boundaries of DMCA 1201 are contested, with prosecutors, rightsholders, and some courts arguing for a very expansive scope. Because the penalties for losing a DMCA claim are so scary -- in some commercial circumstances it could mean a $500,000 fine and a 5-year prison sentence for a first offense! -- few people want to operate in the gray area threatened by DMCA 1201.

There are three important groups in the web ecosystem who will lose their rights thanks to EME:

  1. Competitors: these are the intended targets of EME. Companies, free software projects, and individuals who want to let people do more with the videos in their browsers will need permission from the Netflixes of the world in order to develop their tools. It's a first for the W3C: a standard that's designed to stop people from improving the web in lawful ways.
  2. Security whistleblowers: these are an unintended -- but welcome (for some companies) -- target for EME. DRM advocates have said that merely disclosing defects in products that use DRM violates Section 1201 of the DMCA. The thinking goes like this: "When you tell people about the errors we made in designing our products, you also show them where the weak points in our DRM's armor is." Security researchers are routinely stopped from going public when they discover high-risk defects in widely used products because their institutions fear reprisal under DMCA 1201. Rather than protecting the right of these researchers to make truthful statements about defective products, the W3C is crafting voluntary guidelines to help its members to decide when to censor reports of defects in their products.
  3. People with disabilities: these are also an unintended target of EME. EME includes many adaptations to help those with disabilities enjoy videos, but there are plenty of ways this could be improved. Normally, adapting technology to accommodate disabilities is all about writing code, but because these adaptations would require bypassing DRM, accessibility toolsmiths will need to clear a thicket of permissions before they start work (or risk criminal and civil penalties).

Who else feels this way?

Lots of organizations in the W3C and hundreds of leading security researchers. The W3C members who've gone on record as supporting EFF's position include:

  • Accessibility organizations: Royal National Institute of Blind People (UK); Braillenet (France); Vision Australia and Media Access Australia (Australia); Benetech and SSB Bart (USA)
  • Research institutes: Lawrence Berkeley Labs; Eindhoven, Oxford, Kings College London, Open University, Vrije University
  • Public interest groups: EFF, Center for Democracy and Technology
  • Cryptocurrency, blockchain and security groups: Ethereum, Blockstream, White Ops
  • Commercial firms, webscale projects and browsers:, Vivliostyle, Brave

Is this just a US problem?

Alas, no: the US Trade Representative has been a busy beaver, convincing almost all of the US's trading partners (with the sole exception of Israel) to adopt rules like this.

But EFF is on the case: we're suing the US government to invalidate section 1201 of the DMCA.

Related Issues