Earlier this year, an independent security researcher named Rotem Kerner came forward to disclose critical bugs in a digital video recorder that was integrated into over 70 vendors' CCTV-based security systems.
The vulnerability is a grave one. These DVRs are designed to be connected to whole networks of security cameras. By compromising them, thieves can spy on their targets using the targets' own cameras. In fact, Kerner was part of a team at RSA who published a report in 2014 that showed that thieves were using these vulnerable system to locate and target cash-registers for robberies.
In the two years since the initial report, Kerner tracked down the original manufacturer, a Chinese company called TVT, and repeatedly notified them about the problems with their system. Not receiving any reply, and alarmed that the vulnerable system was showing up in the product offerings of companies all over the world--more than 70 of them!--Kerner came forward, hoping to at least warn the owners of these systems that they were relying on defective products for their security.
Many of the customers of those 70 companies may never know that they're relying on something so defective to safeguard themselves. That's the worst kind of security situation, a fool's paradise where you think you're secure but you're not. It's the difference between knowing your brakes are faulty and driving slower until you can get them fixed; and discovering they don't work the hard way, at 70mph on a freeway when the person ahead of you stops unexpectedly (ouch).
But as bad as that is, it might be getting a lot worse, thanks to regrettable decisions at the World Wide Web Consortium (W3C), a venerable organization that champions open standards, transparency and competition for the Web. Since 2013, the W3C has hosted a group that includes tech giants and huge entertainment companies who are collaborating on a standard that could lead to browsers that control their users' computers in important ways, preventing users from doing things with videos that copyright holders object to, irrespective of whether those objections coincide with what the law allows users to do.
This standard, called "Encrypted Media Extensions" (EME) involves technologies that are guarded a global meshwork of notorious laws called "anti-circumvention laws." These laws prohibit tampering with or compromising digital locks, even for lawful purposes, if those locks are used to restrict access to copyrighted works. These laws, including the 1998 Digital Millennium Copyright Act in the U.S., have spread around the world. The U.S. Trade Representative has repeatedly made adopting these rules a condition of trade with America.
Critically, anti-circumvention laws can put security researchers in legal jeopardy. Vendors have used the rule against breaking digital locks to threaten--and even imprison!--security researchers who come forward to warn people about defects in their products. After all, no company likes to have their mistakes laid bare before their customers, and anti-circumvention has been a useful threat to silence researchers who discover embarrassing facts.
Anti-circumvention laws lead many researchers to keep their findings to themselves, because they or their organizations fear reprisals.
Which brings us back to Rotem Kerner and TVT. Digital locks, like the ones that W3C's EME proposal call for, are just the sort of thing an organization might look for in its security systems. After all, many regulators impose strict limits on how long security videos may be retained, and insurers write policies for their customers that require that they purge their surveillance data after a set period, to limit their liability in the event of a breach. A system like EME could be a godsend for head offices that want to set policy on the security systems in all their nationwide branches, causing stored video to become inaccessible after the retention period, backstopping the existing regime of compliance audits.
CCTV and video recorders that include EME or other digital locks could effectively become off-limits to the sort of important disclosures that Kerner made last month. A researcher coming forward about vulnerabilities in a system that includes EME could risk criminal and civil punishments.
It doesn't have to be this way. EFF asked the W3C to adopt a legally binding policy that would prohibit its members from invoking anti-circumvention law against security researchers. Enough W3C members agreed with us that the group working on EME wasn't able to renew its charter. But after three months of discussion, with no agreement in hand, the executive of the W3C decided to let the EME work continue without any safeguards for security research.
The lack of consensus on this issue suggests that some technology companies want to preserve their ability to use the DMCA to shut down embarrassing disclosures. After decades of removing impediments to implementing core Web technology, the W3C is now on its way to creating a new impediment to the open Web, one that will expose users to untold security risks.
The W3C working group that is finalizing EME still has the option of voluntarily adopting a legally binding policy safeguarding security researchers. With your help in spreading the world, we will continue to urge them to do the right thing.