Skip to main content

Amid Unprecedented Controversy, W3C Greenlights DRM for the Web

DEEPLINKS BLOG
July 6, 2017

Early today, the World Wide Web Consortium (W3C) standards body publicly announced its intention to publish Encrypted Media Extensions (EME)—a DRM standard for web video—with no safeguards whatsoever for accessibility, security research or competition, despite an unprecedented internal controversy among its staff and members over this issue.

EME is a standardized way for web video platforms to control users' browsers, so that we can only watch the videos under rules they set. This kind of technology, commonly called Digital Rights Management (DRM), is backed up by laws like the United States DMCA Section 1201 (most other countries also have laws like this).

Today, the W3C announced that it would publish its DRM standard with no protections and no compromises at all.

Under these laws, people who bypass DRM to do legal things (like investigate code defects that create dangerous security vulnerabilities) can face civil and criminal penalties. Practically speaking, bypassing DRM isn't hard (Google's version of DRM was broken for six years before anyone noticed), but that doesn't matter. Even low-quality DRM gets the copyright owner the extremely profitable right to stop their customers and competitors from using their products except in the ways that the rightsholder specifies.

EFF objects to DRM: it's a bad idea to make technology that treats the owner of a computer as an adversary to be controlled, and DRM wrecks the fairness of the copyright bargain by preventing you from exercising the rights the law gives you when you lawfully acquire a copyrighted work (like the rights to make fair uses like remix or repair, or to resell or lend your copy).

But EFF understood that the W3C had members who wanted to make DRM, so we suggested a compromise: a covenant, modeled on the existing W3C member-agreement, that would require members to make a binding promise only to use the law to attack people who infringed copyright, and to leave people alone if they bypassed DRM for legal reasons, like making W3C-standardized video more accessible for people with disabilities.

This was a very popular idea. It was endorsed by Unesco, by the Internet Archive, by the creator of the W3C's existing membership agreement, by hundreds of top security researchers, by the competition expert who coined the term "Net Neutrality", and by hundreds of human rights organizations and activists from the global south. The Open Source Initiative amended its definition of "open standard" so that DRM standards could only qualify as a "open" if they protected legitimate activity.

Now, it's fair to say that the W3C's DRM advocates didn't like the idea. After a perfunctory discussion process (during which some progress was made), they walked away from the negotiations, and the W3C decided to allow the standardization work to continue despite their unwillingness to compromise.

But other W3C members did like the idea. On March 12, the final vote for publishing EME closed, and members ranging from the German National Library to the UK Royal National Institute for Blind People to the cryptocurrency startup Ethereum, to Brave, a new entrant to the browser market -- along with dozens more—rejected the idea of publishing EME without some protections for these equities (the numbers in the vote are confidential by W3C's own membership requirements, but all the members mentioned here have given permission to have their votes revealed.)

It was the most controversial vote in W3C history. As weeks and then months stretched out without a decision, another W3C member, the Center for Democracy and Technology, proposed a very, very narrow version of the covenant, one that would only protect security researchers who revealed accidental or deliberate leaks of data marked as private and sensitive by EME. Netflix's representative dismissed the idea out of hand, and then the W3C's CEO effectively killed the proposal.

Today, the W3C announced that it would publish its DRM standard with no protections and no compromises at all, stating that W3C Director Tim Berners-Lee had concluded that the objections raised "had already been addressed" or that they were "overruled."

In its statement, the W3C said that publishing a DRM standard without protections for core open web activities was better than not doing so, because its DRM had better support for privacy, accessibility, and competition than a non-W3C version of DRM would have.

We disagree. Even by the W3C's own measures, EME represents no improvement upon a non-standards approach, and in some important ways, the W3C's DRM is worse than an ad-hoc, industry approach.

At root is the way that DRM interacts with the law. Take security: the W3C's specification says that users' computers should be protected from privacy-invading activities by DRM vendors, but without a covenant, it's impossible to check whether this is happening. Recall that Netflix, one of the principal advocates for DRM at W3C, categorically rejected the narrowest of covenants, one that would protect solely the activity of revealing DRM flaws that compromised user privacy.

On the question of accessibility, the W3C has simply ignored the substantial formal and informal objections raised by its members, including members with deep expertise in accessibility, such as Vision Australia, Media Access Australia, Benetech, and the RNIB. These organizations pointed out that having a place for assistive data was nice, but to make video accessible, it was necessary to use computers to generate that data.

It's great to say that if you know where all the strobe effects are in 10,000,000 hours of videos, you could add warnings to the timelines of those videos to help people with photosensitive epilepsy. But unless you have an unimaginable army of people who can watch all that video, the practical way to find all those strobes is to feed the video to a computer, after bypassing the DRM. Otherwise, most video will never, ever be made safe for people with photosensitive epilepsy.

Multiply that by the unimaginable armies of people needed to write subtitles, translate audio, and generate descriptive audio tracks, and you've exceeded the entire human race's video-annotating capacity several times over—but barely scratched the surface of what computers can (and will be able to) do.

On the question of competition, the W3C's response is even more frustrating and non-responsive. EME only solves part of the video-transmission standard: for a browser to support EME, it must also license a "Content Decryption Module" (CDM). Without a CDM, video just doesn't work.

All the big incumbents advocating for DRM have licenses for CDMs, but new entrants to the market will struggle to get these CDMs, and in order to get them, they have to make promises to restrict otherwise legal activities (for example, CDM licensing terms prevent users in some parts of Europe from seeing videos made available in other parts of the EU).

The W3C says that none of this makes DRM any worse than what was there before the standards effort, but they're dead wrong. DRM is covered by a mess of criss-crossing patents that make any kind of interoperable DRM transcendentally hard to create -- unless there's some way of cutting through the patent thicket. That's where the W3C comes in: its patent policy requires members to swear not to enforce their patents against people who implement W3C standards. Since the W3C's membership includes key DRM patent owners, it's the one forum where such a standard can be set.

At EFF, we've spent decades defending people engaged in legitimate activities that companies or governments disliked: researchers who go public with defects in products whose users are blithely unaware of them; new entrants to monopolized markets who offer better products with features the cozy old guard don't like; public spirited archivists and accessibility workers who want to preserve digital culture and make sure everyone gets to use it.

We're dismayed to see the W3C literally overrule the concerns of its public interest members, security experts, accessibility members and innovative startup members, putting the institution's thumb on the scales for the large incumbents that dominate the web, ensuring that dominance lasts forever.

This will break people, companies, and projects, and it will be technologists and their lawyers, including the EFF, who will be the ones who'll have to pick up the pieces. We've seen what happens when people and small startups face the wrath of giant corporations whose ire they've aroused. We've seen those people bankrupted, jailed, and personally destroyed.

That's why we fought so hard at the W3C, and it's why we're fighting so hard to fix laws like Section 1201 of the DMCA. We've been suing the US government over the constitutionality of DMCA 1201; in the coming months, we'll be back at the US Copyright Office, arguing to maintain and extend the exemptions to 1201 we won in 2015.

As for the W3C... we're working on it. There is an appeals process for Tim Berners-Lee's decisions at the W3C, which has never been successfully triggered. The entire project of designing technology to control web users, rather than empowering them, has taken the W3C into uncharted waters, and this is the most unfamiliar of them all. We're looking into this, counting noses, and assessing our options. We'll keep you informed.

JavaScript license information