Ian Hickson, who edits the HTML specification at the Web Hypertext Application Technology Working Group (WHATWG), called out the World Wide Web Consortium (W3C) for not offering security researchers legal protection when they report bugs in web DRM schemes. Hickson previously oversaw the standardization of the HTML5 specification at the W3C and also protested the W3C’s adoption of the DRM-enabling Encrypted Media Extensions (EME).
EME’s Failed Promise
Over the past few years, the W3C has been working on implementing an HTML extension that would bring DRM to the web. The EME standard was mainly promoted by Netflix (opens in new tab). At the time, the company was trying to eliminate the need for the Silverlight plugin, which Microsoft was about to kill. The promise of EME was that users would be able to stream Netflix videos without having to install any other plugin or app on their computers.
However, things didn’t go quite as promised, as according to Hickson, EME is itself a plug-in mechanism for proprietary DRM modules. You could also see that Firefox, for instance, has to load up both Adobe (Primetime) and Google’s (Widevine) DRM plugins for video to work.
Therefore, EME didn’t get rid of plugins, but instead changed what plugins we need in order to play DRM-protected media. Instead of installing a Flash or Silverlight plugin, we’d now install the DRM plugins from other companies.
Making The Legal Illegal
Beyond EME’s failures, there’s also a long debate about how DRM isn’t stopping copyright infringements at all, but instead is used as a tool to control distributors and prevent people from using content in otherwise legally permissible ways (fair use doctrine in the U.S.).
However, Hickson’s biggest problem with EME and its enabling of DRM on the web is with how the DMCA makes it illegal for security researchers to disclose vulnerabilities in DRM software without a vendor’s permission. Vendors may not always respond well to others finding vulnerabilities in their software. Sometimes, that may lead to software being vulnerable for too long if the bugs are hidden from the public.
According to Hickson, browser security is bad enough as it is, and browsers are constantly getting exploited. Chilling the research on browser security would make things worse.
The WHATWG proposed that the W3C require each company working on the EME specification to sign an agreement in which they agree not to sue security researchers studying EME. According to the group, the W3C already requires a similar agreement for patents, and this new agreement would be an extension to that.
The W3C has so far refused to require this, so Hickson’s group is now calling the W3C out for endangering the health of the web as a whole. Hickson’s letter to the W3C was co-signed by other WHATWG members such as Simon Pieters from Opera and Anne van Kesteren from Mozilla.
The EFF (a member of the W3C) also called out the W3C earlier this year over the same issue. It has also been leading a parallel fight to kill Section 1201 of the DMCA once and for all, so that security researchers and anyone else would be free to tinker with DRM-enabled devices without fear of legal repercussions.
W3C’s Charter Renewal
The reason there are now new calls on W3C to agree to this “DRM nonaggression covenant” is because the W3C’s charter will expire in less than a week, and it will have to be renewed. The last time the proposal to protect EME security researchers was made, the W3C board rejected it.
The movement to fix this issue has grown much larger since then. There are now 20 W3C members who are willing to block the new charter unless the W3C agrees to protect security researchers from DMCA lawsuits, according to the EFF.
So far, only a single browser vendor is supporting the EFF's and WHATWG's proposal--Brave, the new browser from Mozilla’s former CEO, Brendan Eich. Google and Microsoft were the co-creators of the Encrypted Media Extension, along with Netflix, so chances are they will also be among the last to support the DMCA protection agreement.
We have contacted the W3C for an official response.