Dear Tim, Jeff, and W3C colleagues,

On behalf of the Electronic Frontier Foundation, I would like to formally submit our request for an appeal of the Director's decision to publish Encrypted Media Extensions as a W3C Recommendation, announced on 6 July 2017.

The grounds for this appeal are that the question of a covenant to protect the activities that made DRM standardization a fit area for W3C activities was never put to the W3C membership. In the absence of a call for consensus on a covenant, it was improper for the Director to overrule the widespread members' objections and declare EME fit to be published as a W3C Recommendation.

The announcement of the Director's decision enumerated three ways in which DRM standardization through the W3C -- even without a covenant -- was allegedly preferable to allowing DRM to proceed through informal industry agreements: the W3C's DRM standard was said to be superior in its accessibility, its respect of user privacy, and its ability to level the playing field for new entrants to the market.

However, in the absence of a covenant, none of these benefits can be realized. That is because laws like the implementations of Article 6 of the EUCD, Section 1201 of the US Digital Millennium Copyright Act, and Canada's Bill C-11 prohibit otherwise lawful activity when it requires bypassing a DRM system.

1. The enhanced privacy protection of a sandbox is only as good as the sandbox, so we need to be able to audit the sandbox.

The privacy-protecting constraints the sandbox imposes on code only work if the constraints can't be bypassed by malicious or defective software. Because security is a process, not a product and because there is no security through obscurity, the claimed benefits of EME's sandbox require continuous, independent verification in the form of adversarial peer review by outside parties who do not face liability when they reveal defects in members' products.

This is the norm with every W3C recommendation: that security researchers are empowered to tell the truth about defects in implementations of our standards. EME is unique among all W3C standards past and present in that DRM laws confer upon W3C members the power to silence security researchers.

EME is said to be respecting of user privacy on the basis of the integrity of its sandboxes. A covenant is absolutely essential to ensuring that integrity.

2. The accessibility considerations of EME omits any consideration of the automated generation of accessibility metadata, and without this, EME's accessibility benefits are constrained to the detriment of people with disabilities.

It's true that EME goes further than other DRM systems in making space available for the addition of metadata that helps people with disabilities use video. However, as EME is intended to restrict the usage and playback of video at web-scale, we must also ask ourselves how metadata that fills that available space will be generated.

For example, EME's metadata channels could be used to embed warnings about upcoming strobe effects in video, which may trigger photosensitive epileptic seizures. Applying such a filter to (say) the entire corpus of videos available to Netflix subscribers who rely on EME to watch their movies would safeguard people with epilepsy from risks ranging from discomfort to severe physical harm.

There is no practical way in which a group of people concerned for those with photosensitive epilepsy could screen all those Netflix videos and annotate them with strobe warnings, or generate them on the fly as video is streamed. By contrast, such a feat could be accomplished with a trivial amount of code. For this code to act on EME-locked videos, EME's restrictions would have to be bypassed.

It is legal to perform this kind of automated accessibility analysis on all the other media and transports that the W3C has ever standardized. Thus the traditional scope of accessibility compliance in a W3C standard -- "is there somewhere to put the accessibility data when you have it?" -- is insufficient here. We must also ask, "Has W3C taken steps to ensure that the generation of accessibility data is not imperiled by its standard?"

There are many kinds of accessibility metadata that could be applied to EME-restricted videos: subtitles, descriptive tracks, translations. The demand for, and utility of, such data far outstrips our whole species' ability to generate it by hand. Even if we all labored for all our days to annotate the videos EME restricts, we would but scratch the surface.

However, in the presence of a covenant, software can do this repetitive work for us, without much expense or effort.

3. The benefits of interoperability can only be realized if implementers are shielded from liability for legitimate activities.

EME only works to render video with the addition of a nonstandard, proprietary component called a Content Decryption Module (CDM). CDM licenses are only available to those who promise not to engage in lawful conduct that incumbents in the market dislike.

For a new market entrant to be competitive, it generally has to offer a new kind of product or service, a novel offering that overcomes the natural disadvantages that come from being an unknown upstart. For example, Apple was able to enter the music industry by engaging in lawful activity that other members of the industry had foresworn. Likewise Netflix still routinely engages in conduct (mailing out DVDs) that DRM advocates deplore, but are powerless to stop, because it is lawful. The entire cable industry -- including Comcast -- owes its existence to the willingness of new market entrants to break with the existing boundaries of "polite behavior."

EME's existence turns on the assertion that premium video playback is essential to the success of any web player. It follows that new players will need premium video playback to succeed -- but new players have never successfully entered a market by advertising a product that is "just like the ones everyone else has, but from someone you've never heard of."

The W3C should not make standards that empower participants to break interoperability. By doing so, EME violates the norm set by every other W3C standard, past and present.

Through this appeal, we ask that the membership be formally polled on this question: "Should a covenant protecting EME's users and investigators against anti-circumvention regulation be negotiated before EME is made a Recommendation?"

Thank you. We look forward to your guidance on how to proceed with this appeal.

Related Issues