Security researchers: we need your help!

The World Wide Web Consortium has taken the extraordinary, controversial step of standardizing DRM in the form of something called Encrypted Media Extensions, which will be part of HTML5. Because of laws like the DMCA and its international equivalents, security researchers who reveal flaws in HTML5-compliant browsers will face punishing legal jeopardy. We're worried that this means that critical bugs in the browsers billions of people rely upon will take longer to come to light and are more likely to be exploited in the wild.

Last summer, some of the world's most prominent security researchers told the US Copyright Office that the DMCA kept them from coming hforward with flaws they've discovered.

EFF has proposed a way for the W3C to have its DRM cake without eating its security researchers, too. We've written a short, simple "covenant," a binding promise that W3C members would have to sign as a condition of continuing the DRM work at the W3C, and once they do, they not be able to use the DMCA or laws like it to threaten security researchers.

Tomorrow's browsers are supposed to be the universal interface for all of our automated systems, from medical implants to vehicles. The world's security researchers need to know that companies won't have the ability to gag them with legal threats when they embarrass companies by revealing their mistakes.

Free software advocates picketed a recent W3C meeting to call on the organization to reform its DRM work, and the Open Source Initiative says it won't consider a DRM standard to be "open" unless it adopts an agreement modelled on ours.

Its time for the W3C to hear from you, the security researchers whose future it holds in its hands.

If you're a security researcher and are able to lend your voice, please contact us to let us know. We'll forward your comments to Tim Berners-Lee, director of the W3C, and Jeff Jaffe, the organization's CEO.

Signatories:

Bruce Schneier, USA

Alan Cox, UK, Honorary Fellow University of Wales: Trinity St David

Emiliano DeCristofaro, UK, University College London

Dr Steven J. Murdoch, UK, Principal Research Fellow, University College London

Harry Halpin, France, INRIA

Ian Goldberg, Canada, University of Waterloo

Ron Deibert, Canada, Professor of Political Science and Director of the Citizen Lab at the University of Toronto

Jon Andersen, USA

Sergey Bratus, USA, Research Associate Professor, Computer Science Department, Dartmouth College

Joel R. Voss, USA

Paul Garrett Hugel, USA

Jacob Appelbaum, Germany, the Tor Project

Roger Dingledine, USA, the Tor Project

Ronald L. Rivest, USA, MIT

Prof. Dr. Tanja Lange, The Netherlands, Technische Universiteit Eindhoven

Frederic Jacobs,Switzerland, Swiss Institute of Technology (EPFL)

Dr Ian Brown, UK, Oxford Internet Institute, Professor of Information Security and Privacy, University of Oxford

Philipp Winter, USA, Princeton University

Sebastian Garcia, Czech Republic, Czech Technical University

Alex Kirk, USA

Robert Erbes, USA, Assoc. Principal at IOActive

Nadim Kobeissi, France, INRIA.

Sharon Goldberg, USA, Boston University

Roya Ensafi, USA, Princeton University

J. Alex Halderman, USA, University of Michigan

Jacobo Nájera, Mexico, Enjambre Digital

Seda Gurses, USA, Princeton University

Dr. Daniel C. Howe, Hong Kong, School of Creative Media

Marco Ermini, Germany

Gary Cohn, USA

Aaron Massey, USA, University of Maryland, Baltimore County

Greg Rose, USA

Juan Benet, USA, IPFS Project

Alex Leverington, Switzerland, Ethereum

Anil Madhavapeddy, UK, Computer Laboratory, University of Cambridge

Iván Arce, Argentina, Programa STIC, Fundación Dr. Manuel Sadosky

Rikard Linde, Sweden, Director, Fores

Conno Boel, Netherlands, Software Engineering student, Avans University of Applied Sciences, Den Bosch

Paul Mundt, Germany, Adaptant Solutions AG

Mark Seiden, USA, Internet Archive

Stephen Whitmore, USA, IPFS Project

Paul Lindner, USA

Trent McConaghy, Germany/Canada, BigchainDB/IPDB

Sandro Hawke, USA, MIT

David S. H. Rosenthal, USA, LOCKSS Program

Johannes Ernst, USA, Indie Computing Corp

Milos Miljkovic, USA, Tufts University

Sam Bowne, USA, Instructor, Computer Networking and Information Technology, City College San Francisco

John David Pressman

Aaron Zauner, Austria, Lambda: resilient.systems/SBA-Research/Consultant to EFF

Philip Wadler, UK, Professor of Theoretical Computer Science, School of Informatics, University of Edinburgh

Feross Aboukhadijeh, USA, WebTorrent, Stanford University

Harry J. W. Percival, UK

Ross Anderson, UK, Cambridge University

Patrick Durusau, USA

Marco Romano, USA

Thomas Sluyter, the Netherlands

Rens Groenewegen, the Netherlands, Cloud architect, CISSP

Dirk Krijgsman, The Netherlands

Erik Duemig, USA

Gaëtan Leurent, France, Inria

Jeffrey Vagle, USA, University of Pennsylvania Law School

Constantine A. Murenin, USA, NetBSD

Jeremy Tippit, USA

Randy Bush, Japan, IIJ Research Lab

Kraig Beahn, USA, CEO, Enguity Technology Corporation

Tony Vanquez, USA, Director of Regulatory Operations, L2Networks 

Ben Tasker, UK

Vasily Kolobkov, Russia

Thomas Casey Stone, United Kingdom

Nicholas Keene, USA

Grif Rosser, USA, DataCentre Security

Chris Roberts, USA, Sidragon

John Brasher, USA,

Theodore C Newcomb, USA Managing Director, AhwatukeeBuzz

Brendan O'Connor, USA, Leviathan Security Group

Alan Rea, USA, Professor of Information Systems, Western Michigan University

James Vincent Ferrero, USA

Sebastian Schultheiss, Germany, Computomics

Steve Palmateer, Canada, Thalmic Labs

James Renken, Sandwich.Net, LLC

Tom Sullivan, USA, Sullivan Cybernetics, LLC

Gert Steenssens, Belgium, software developer & security researcher

Philip Haworth, UK

Carolyn Guertin, Canada, University of Ontario Institute of Technology

Greg Sadetsky, Canada

Stephen Kent Rose, USA, Lawyer, Attorney, and Counselor at Law

Declan Murphy, USA, electrical engineer

Joby Elliott, USA, Web Developer at University of New Mexico

Margaret Bartley, USA, retired

Micah Sherr, USA, Provost's Distinguished Associate Professor, Department of Computer Science, Georgetown University

Marcelo Elizeche Landó, Paraguay, Infosec Consultant

Nathan Freitas, USA, Guardian Project/Tor Project/Berkman Klein Center

Thomas G Easton, USA

Stephen J Taffee, USA, Retired IT Professional

Pedro Freire, Portugal, Senior IS Consultant

Grant Johnson, USA, Chairman, SIMCO

Jonas A. Hultén, Sweden, computer science student

Scott Kallio, USA, EPIPHANYSOLUTIONS LLC

Thomas Asmuth, USA, Assistant Professor-Digital/New Media, Director, Bachelor of Fine Arts Program, University of West Florida

Dustin Juliano, USA

Chris Collins, Ireland, Software Engineer

Russel Brooks, USA

Tom Ritter, USA

Daniel Haaser, Germany, Computerhilfe Feucht

Matthew L Daniel, USA

Elmar Lecher, Germany

Jose Antonio Ortega Ruiz, USA, CTO, BigML, Inc

Jonathan Poritz, USA

Christopher Brousseau, USA

André Igler, Austria, Chaos Computer Club

John F. Doyle, Ph.D., USA, Indiana University SE

greg vassie, Canada

John Adams, USA, Head of Security, Bolt Financial

K Moser, USA

Jamie Powers, Esq., USA, Data Rights &  Privacy Advisors

Dmitri Dalheim-Baeza, Canada

Ben Dechrai, Australia

James Caruso, USA, InfraStructure Data Management International, Inc.

Ben Johnston,Australia

James L. McKee Jr., USA

Lou Ronnau, USA

Dr. Martin Krafft, Germany, independent security researcher, freedom activist, and Debian developer

Gary Joseph, UK

R Dwayne Ramey, USA

David Williams, USA

Andrew FigPope, USA

Mark Judman, USA

Marc Loehrwald, Germany

Siddharth Ravikumar, USA

Kevin Saylor, USA

Richard E. Robertson, USA, President, Basketcase Software, Missing Worlds Media, Inc.

Jack Daniel, USA, Security BSides

Vasili Revelas, Greece

John Poole, USA

Adriano Peluso, Italy

Douglas Stetner, Australia

Stephen Edgar, Australia

Dominik Golle, Germany, Hertie Network on Digitalization

Tennille Christensen, USA

Aaron Steimle, USA, Glyph IP LLC

Jason Watson, USA

Edward Anderson, USA, Software Engineering Manager at On-Site.com

François Maes, Belgium

brannon rasmussen, USA

James Fowler, USA/Brazil

Alan Mayer, USA, CISA, CRISC and CISSP, Senior Information Security Consultant and Auditor

Félicien Fleury, Switzerland, Information Engineer HES/CISSP, Managing Director, NGSENS SARL

Joseph Lorenzo Hall, USA, Chief Technologist, Center for Democracy & Technology

Brett Campbell, USA

Greg Norcie, USA, Staff Technologist, Center for Democracy & Technology

Jeff Silverman, USA

Robert Walker, USA, CEO, PCPursuit Inc

Vlad Ionescu, USA, Red Team Operations, Mandiant/FireEye

Kent Williams-King, Canada, MSc student at the University of British Columbia

Martin Shelton, USA, The Coral Project and The New York Times

Adarsh Jagannatha, India, Indian Institute of Technology Kanpur (IITK)

Nchinda Nchinda, USA, student, MIT; intern, ConsenSys

Jeremy Pesner, USA, Georgetown University

David Roux, South Africa/USA, Blue Grass Airport, Lexington, KY, USA

Alexander Ose, USA, United States Digital Service

Flynn Joffray, USA

Marcel de Jong, The Netherlands

Salvatore LaMendola, USA

Alexander Urcioli, USA

Donald McFarlane, USA

Andrew Schuch, Canada, CEO of Halo Tech Consulting

David Olesik, Canada, CEGEP in Montreal, Quebec

Jean Harrington, USA

Holger Levsen, Germany, Debian

Chester Wisniewski, Canada, Sophos Inc.

Ryan Mitchkowski, USA

Fred Frazelle, Mexico, Fundación Anisa, A.C.

Charles Berret, USA, Columbia University

Michael Fischer, USA, Professor of Computer Science, Yale University

Thomas Greco, Singapore/Thailand/Japan/Indonesia,  Omise/Ethereum

Joshua R. Simmons, USA, OSI Board Member

Cornel Punga, independent researcher, OWASP Timisoara, Romania

Alexander Finch, Argentina

Antonio Fontes, Switzerland, OWASP Geneva

Kevin W. Wall, USA, OWASP

Harish Pillay, Singapore, Red Hat and ISOC

Johanna Curiel, The Netherlands, independent researcher

Chris HJ Hartgerink, The Netherlands, Tilburg University

Alexander Sulzberger, Ghana, CEO,  Ecoband Networks;  member of AfriCERT;  board member of GISPA; board member of the Ghana Internet Service Provider Association

Justin Comps, USA

Austin Prior, Ireland

Tiago Epifânio, Portugal

Stuart Ward, UK, Fellow, British Computer Society

Jay Sundu, USA, UC-Berkeley

Gianfranco Cecconi, UK, Digital Contraptions Imaginarium Ltd.

Micah Musick, USA, Virtual Fox Technologies

Lorin Ricker, USA

Ron Parachoniak, Canada

François Proulx, Canada, NorthSec

Tom Brennan, USA, OWASP Foundation

Greg Mestas, USA

Milton Smith, USA, OWASP

Katie Moussouris, USA, CEO Luta Security, Co-editor of ISO 29147 Vulnerability disclosure

Dan Zulla, Malta, Thiel Fellow, serial entrepreneur

Robert Rudeloff, USA, OCC (US Treasury)

Gary Dentremont, USA, AT&T

Zachary Falgout, USA, Texas Mutual Insurance

Craig Smith, USA, Research Directory of Transportation Security at Rapid7/Open Garages

Mike Francioch, USA

Richard Garrett Key, USA, University of Texas at Austin

Related Issues