One of the bitterest struggles against DRM is still taking place on the Web's own home turf — at the World Wide Web Consortium, the Web's own standards organization. Last year, the consortium accepted as in scope the development of Encrypted Media Extensions, an addition to the HTML5 standard intended to support DRM within browsers. EME envisages a future where restricted content could be served within Web pages, apparently as a fully-fledged element of the Web ecosystem, but locked away from user control or fair use, and controlled by tools that can override user preferences.
It's been over a year since the EME standard began its move through the committees of the W3C. The good news is that standards move slowly, and EME is no exception. Internal work on the EME proposal continues, but it's been going no faster (or slower) than any other Internet standard, and still remains in draft.
The bad news is the W3C itself continues to resist any implication that systems like EME, which exist to support DRM, aren't in the best interests of the Web, or, for that matter, the W3C. The W3C rejected our suggestion that overruling end-user control (as DRM must) was a dangerous new policy step that should have been thoroughly and publicly debated before accepting work on EME. We predicted that, having crossed the DRM rubicon, the W3C was due to face a barrage of new actors, keen to import their own means to impose control over users into the W3C's framework. It's the way of DRM: once you concede that anyone other than the owner has the right to take control of digital devices, everyone wants a go.
What happened next? Well, here's our W3C timeline since our post in October.
In December, the MPAA joined the W3C. Enough said.
In January, Mark Watson of Netflix explained to the W3C that its DRM requirements for an acceptable EME content decryption module were confidential. The W3C's CEO asked, politely, if those requirements could be made public. No go.
In February, W3C member and cable TV provider Cox Communications objected to language in a Web Application security proposal that stated that Web apps should not interfere with the operation of bookmarklets and plug-ins. In other words, Cox wanted to ensure that third-party applications should be able to override end-user preferences. After the pro-user language was deleted at Cox's request, a compromise was eventually reached: browsers may allow users to bypass policy enforcement.
In March, the ATSC (Advanced Television Systems Committee), under whose auspices the content industry attempted to bake DRM into over-the-air broadcast TV (until an anti-DRM alliance, including the EFF, beat them in the courts), approached the W3C to work together to "focus our considerations for alignment on ... six areas" including "content protection/DRM."
In April, the Interactive Advertising Bureau, an organization whose General Counsel calls ad-blocking software a "fundamental threat," and whose President described Mozilla as "implacably opposed to advertising" and "the primary purveyors of the Adblock-Plus browser add-on," joined the W3C as a full member.
Organizations like the W3C rely on consensus. But if you don't establish your own vision and leadership for what should be created through consensus, you'll either end up captured by those who have the time and the money to get what they want, or be caught in a permanent crossfire of groups with very different ideas of the end-goal.
In this time of conflict over the effect of DRM on the Web, we continue to urge the W3C to look to its own priority of constituencies. In a world where business interests continue to use DRM, backed by laws such as the DMCA and secret contracts, to seize control of our devices (from phones to coffeemakers), the W3C could still be a standards organization that, like the Web, puts the user first. Without that explicit principle, it will continue to be buffeted toward what its best-resourced members want. For an increasing number of its participants, that will be a short term craving for the simple solutions of DRM, with the long term result of a closed and locked-down Web environment.